After making a change to a GitLab configuration file I ran the gitlab-ctl reconfigure command and got this error:
================================================================================
Error executing action `create` on resource 'letsencrypt_certificate[git.example.com]'
================================================================================
Acme::Client::Error::AccountDoesNotExist
----------------------------------------
acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 41) had an error: Acme::Client::Error::AccountDoesNotExist: No account exists with the provided key
Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:58:in `acme_order_certs_for'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb:89:in `block in class_from_file'
Resource Declaration:
---------------------
# In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb
6: letsencrypt_certificate site do
7: crt node['gitlab']['nginx']['ssl_certificate']
8: key node['gitlab']['nginx']['ssl_certificate_key']
9: notifies :run, "execute[reload nginx]", :immediate
10: notifies :run, 'ruby_block[display_le_message]'
11: only_if { omnibus_helper.service_up?('nginx') }
12: end
Compiled Resource:
------------------
# Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:6:in `from_file'
letsencrypt_certificate("git.example.com") do
action [:create]
updated true
updated_by_last_action true
default_guard_interpreter :default
declared_type :letsencrypt_certificate
cookbook_name "letsencrypt"
recipe_name "http_authorization"
crt "/etc/gitlab/ssl/git.example.com.crt"
key "/etc/gitlab/ssl/git.example.com.key"
cn "git.example.com"
only_if { #code block }
end
System Info:
------------
chef_version=15.17.4
platform=debian
platform_version=11
ruby=ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-clientGitLab is managing the SSL certificates from LetsEncrypt using ACME in this case. Checking the existing certificate I could see that it was working up until recently so it seems to have broken for me in the past few days for some reason.
To fix the problem the ACME account key can be regenerated. The account key is located at /etc/acme/account_private_key.pem by default (for the Omnibus install). Simply rename this file and then re-run the GitLab reconfigure command:
sudo mv /etc/acme/account_private_key.pem /etc/acme/account_private_key.pem.backup sudo gitlab-ctl reconfigure