Getting Gitlab on Apache to certify leads to unauthorized error: why?

I am trying to get a Gitlab installation using the existing Apache server to play nicely with Certbot, but all I am getting is this error – glad and grateful about any leads!

My domain is:

I ran this command: certbot certonly --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d

It produced this output: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization.

Detail: Invalid response from []:
"<!DOCTYPE html>\n<html class=“devise-layout-html”>\n<head
prefix=“og:”>\n<meta charset=“utf-8”>\n<meta

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian Stretch 9.8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Hi @nonformality

checking your domain there is a wrong redirect ( ):

Domainname Http-Status redirect Sec. G 302 0.103 D 200 0.156 H 200 3.103 N
Certificate error: RemoteCertificateNameMismatch 302 0.117 D
Visible Content: You are being redirected .

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But checking such a file there is a redirect to There is no validation file.

So check your configuration to remove that redirect, if /.well-known/acme-challenge is used.

Hi @JuergenAuer,

I don‘t think that redirect can be removed – this is baked into Gitlab, and exactly my problem :slight_smile: Is there a recommended way to add an exception for certbot to the vhost file, for example?

The apache plugin (as in certbot --apache) should create a temporary exception automatically - is there a reason you’re using --webroot instead?

Duuuh. There was trouble with the apache plugin in Debian for such a long time, I hadn’t bothered to check whether that was now resolved. Thanks for the pointer: worked like a charm on first attempt :sunglasses: Supercool! Much appreciated.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.