Getting error 403 when trying to set up domain for Gitlab

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: git.as202454.net

I ran this command: gitlab-ctl reconfigure

It produced this output:

There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[git.as202454.net] (letsencrypt::http_authorization line 6) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 41) had an error: RuntimeError: ruby_block[create certificate for git.as202454.net] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [git.as202454.net] Validation failed, unable to request certificate, Errors: [{url: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2355526914/98c3QA, status: invalid, error: {"type"=>"urn:ietf:params:acme:error:unauthorized", "detail"=>"193.28.39.194: Invalid response from http://git.as202454.net/.well-known/acme-challenge/2Ve4JSSU3xorI8ct4ZcCyouUb7if-hd76FJD4NkjF5Y: 400", "status"=>403}} ]

My web server is (include version): nginx

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

The 403 is coming from your gitlab instance, so it isn't answering the challenge properly.

It looks like when I try to connect to http://git.as202454.net/.well-known/acme-challenge/2Ve4JSSU3xorI8ct4ZcCyouUb7if-hd76FJD4NkjF5Y that your nginx is configured to listen for HTTPS on the HTTP port, which won't work. That suggests to me something is wrong with the nginx configuration.

I see there's a long thread over on the Gitlab forum with various suggestions that may also be of help: LetsEncrypt certificates fail in domain validation - #9 by julhub - Tutorials - GitLab Forum

5 Likes

Thanks, that seems to have helped get rid of the original issue, but now I am getting a "Secure Connection Failed" error on Firefox, has the error code of: SEC_ERROR_REUSED_ISSUER_AND_SERIAL.
Have also now tried in Edge where I can get past the warning but is still warning about an unsecured connection, would this be related to the cert or could this be more of a Gitlab issue?

1 Like

That doesn't make any sense.

Ok, it's just Firefox being Firefox. You're using a self signed certificate and without even randomising the serial number.

1 Like