Let's Encrypt challenges fail with current nginx config
I was not able to get a Let's Encrypt certificate for my registry domain, unless I changed some files manually.
nginx/conf/gitlab-http.conf
--- gh.conf 2017-04-12 19:01:16.541566127 +0200
+++ gh-mod.conf 2017-04-12 18:59:43.034865612 +0200
@@ -37,11 +37,12 @@
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name gitlab.me;
server_tokens off; ## Don't show the nginx version number, a security best practice
- return 301 https://gitlab.me:443$request_uri;
+ location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }
+ location / { return 301 https://gitlab.me:443$request_uri; }
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log;
}
server {
nginx/conf/gitlab-registry.conf
--- gr.conf 2017-04-12 19:01:12.961462557 +0200
+++ gr-mod.conf 2017-04-12 18:59:55.115213642 +0200
@@ -12,11 +12,12 @@
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name registry.gitlab.me;
server_tokens off; ## Don't show the nginx version number, a security best practice
- return 301 https://$http_host:$request_uri;
+ location ^~ /.well-known { alias /srv/www/.certbot/.well-known; }
+ location / { return 301 https://$http_host:$request_uri; }
access_log /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
}
server {
Certbot uses /srv/www/.certbot
as its webroot path, and you do not have to add something to 'custom_gitlab_server_config'
config variables, because it is only included in https server blocks which are not reached by http-01 challenges with my configuration patches above.
One have to convert these patches to gitlab.rb
and all nginx templates.
GitLab-Package: gitlab-ce / 9.0.5-ce.0