Skip to content
Snippets Groups Projects
Commit d31e7853 authored by Tom Atkins's avatar Tom Atkins
Browse files

Merge branch 'docs-letsencrypt-troubleshooting-update' into 'master' 

Update troubleshooting to check CAA allows Let's Encrypt

See merge request gitlab-org/omnibus-gitlab!3598
parents 134bf962 6cca35ee
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 12 additions and 2 deletions
doc/settings/ssl.md
+ 12
2
View file @ d31e7853
@@ -246,14 +246,24 @@ Where HOSTNAME is the hostname of the certificate.
 
### **Let's Encrypt** fails on reconfigure
 
Let's Encrypt may fail if your server isn't able to reach the Let's Encrypt verification servers or vice versa:
There are two common scenarios under which Let's Encrypt may fail on reconfigure:
 
```
1. Let's Encrypt may fail if your server isn't able to reach the Let's Encrypt verification servers or vice versa:
```sh
letsencrypt_certificate[gitlab.domain.com] (letsencrypt::http_authorization line 3) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: RuntimeError: [gitlab.domain.com] Validation failed for domain gitlab.domain.com
```
 
If you run into issues reconfiguring GitLab due to Let's Encrypt [make sure you have ports 80 and 443 open and accessible](#lets-encrypt-integration).
 
1. Your domain's Certification Authority Authorization (CAA) record does not allow Let's Encrypt to issue a certificate for your domain. Look for the following error in the reconfigure output:
```sh
letsencrypt_certificate[gitlab.domain.net] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.domain.net] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.domain.com] Validation failed, unable to request certificate
```
You can test your domain using [Let's Debug](https://letsdebug.net/), a diagnostic tool to help you figure out why you can't issue a Let's Encrypt certificate.
## Details on how GitLab and SSL work
 
GitLab-Omnibus includes its own library of OpenSSL and links all compiled
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment