Getting Gitlab on Apache to certify leads to unauthorized error: why?

Help
#1

I am trying to get a Gitlab installation using the existing Apache server to play nicely with Certbot, but all I am getting is this error – glad and grateful about any leads!

My domain is: greta.youthpolicylabs.org

I ran this command: certbot certonly --agree-tos --email nerds@youthpolicylabs.org --webroot -w /var/lib/letsencrypt/ -d greta.youthpolicylabs.org

It produced this output: Failed authorization procedure. greta.youthpolicylabs.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization.

Detail: Invalid response from
http://greta.youthpolicylabs.org/users/sign_in [80.151.253.80]:
"<!DOCTYPE html>\n<html class=“devise-layout-html”>\n<head
prefix=“og: http://ogp.me/ns#”>\n<meta charset=“utf-8”>\n<meta
content=“IE”

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian Stretch 9.8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

#2

Hi @nonformality

checking your domain there is a wrong redirect ( https://check-your-website.server-daten.de/?q=greta.youthpolicylabs.org ):

Domainname Http-Status redirect Sec. G
http://greta.youthpolicylabs.org/
80.151.253.80 302 http://greta.youthpolicylabs.org/users/sign_in 0.103 D
http://greta.youthpolicylabs.org/users/sign_in 200 0.156 H
https://greta.youthpolicylabs.org/
80.151.253.80 200 3.103 N
Certificate error: RemoteCertificateNameMismatch
http://greta.youthpolicylabs.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.151.253.80 302 http://greta.youthpolicylabs.org/users/sign_in 0.117 D
Visible Content: You are being redirected .

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But checking such a file there is a redirect to http://greta.youthpolicylabs.org/users/sign_in. There is no validation file.

So check your configuration to remove that redirect, if /.well-known/acme-challenge is used.

#3

Hi @JuergenAuer,

I don‘t think that redirect can be removed – this is baked into Gitlab, and exactly my problem :slight_smile: Is there a recommended way to add an exception for certbot to the vhost file, for example?

#4

The apache plugin (as in certbot --apache) should create a temporary exception automatically - is there a reason you’re using --webroot instead?

#5

Duuuh. There was trouble with the apache plugin in Debian for such a long time, I hadn’t bothered to check whether that was now resolved. Thanks for the pointer: worked like a charm on first attempt :sunglasses: Supercool! Much appreciated.

2 Likes
#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.