GitLab – ACME AccountDoesNotExist

After making a change to a GitLab configuration file I ran the gitlab-ctl reconfigure command and got this error:

    ================================================================================
    Error executing action `create` on resource 'letsencrypt_certificate[git.example.com]'
    ================================================================================

    Acme::Client::Error::AccountDoesNotExist
    ----------------------------------------
    acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 41) had an error: Acme::Client::Error::AccountDoesNotExist: No account exists with the provided key

    Cookbook Trace:
    ---------------
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/libraries/acme.rb:58:in `acme_order_certs_for'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb:89:in `block in class_from_file'

    Resource Declaration:
    ---------------------
    # In /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb

      6: letsencrypt_certificate site do
      7:   crt node['gitlab']['nginx']['ssl_certificate']
      8:   key node['gitlab']['nginx']['ssl_certificate_key']
      9:   notifies :run, "execute[reload nginx]", :immediate
     10:   notifies :run, 'ruby_block[display_le_message]'
     11:   only_if { omnibus_helper.service_up?('nginx') }
     12: end

    Compiled Resource:
    ------------------
    # Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/recipes/http_authorization.rb:6:in `from_file'

    letsencrypt_certificate("git.example.com") do
      action [:create]
      updated true
      updated_by_last_action true
      default_guard_interpreter :default
      declared_type :letsencrypt_certificate
      cookbook_name "letsencrypt"
      recipe_name "http_authorization"
      crt "/etc/gitlab/ssl/git.example.com.crt"
      key "/etc/gitlab/ssl/git.example.com.key"
      cn "git.example.com"
      only_if { #code block }
    end

    System Info:
    ------------
    chef_version=15.17.4
    platform=debian
    platform_version=11
    ruby=ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]
    program_name=/opt/gitlab/embedded/bin/chef-client
    executable=/opt/gitlab/embedded/bin/chef-client

GitLab is managing the SSL certificates from LetsEncrypt using ACME in this case. Checking the existing certificate I could see that it was working up until recently so it seems to have broken for me in the past few days for some reason.

To fix the problem the ACME account key can be regenerated. The account key is located at /etc/acme/account_private_key.pem by default (for the Omnibus install). Simply rename this file and then re-run the GitLab reconfigure command:

sudo mv /etc/acme/account_private_key.pem /etc/acme/account_private_key.pem.backup
sudo gitlab-ctl reconfigure

Leave a Reply

Your email address will not be published.