起因:ACME客户端版本过旧导致无法更新Lets Encrypt证书
lets encrypt证书的有效期是90天,使用以下两个命令都无法更新证书
sudo gitlab-ctl renew-le-certs
和
sudo gitlab-ctl reconfigure
错误提示ACME v1版本已被废弃:
Running handlers:
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab.<redacted>.com] (letsencrypt::http_authorization line 3) had an error: Acme::Client::Error::Unauthorized: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 20) had an error: Acme::Client::Error::Unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
Gitlab 12.1.x版本更新了ACME Client的版本,只能升级了。
升级gitlab的曲折之路
服务器操作系统CentOS 7,当前Gitlab的版本是11.10.4,使用Ominbus Gitlab Package安装。根据官网的要求,先升级到11.11.8。先下载rpm包后,后进行离线更新:
# CentOS/RHEL
rpm -Uvh gitlab-ce-XXX.rpm
坑1:错误的跳过了中间版本的reconfigure
由于11.11.8中并没有更新ACME,所以执行 'gitlab-ctl reconfigure’失败。这时我犯了一个致命的错误:
sudo touch /etc/gitlab/skip-auto-reconfigure
禁用了自动reconfigure使得跳过了数据库升级,接下来升级12.3.4失败:
Your current database version is too old to be migrated. You should upgrade to GitLab 11.11.0 before moving to this version.
官方建议卸载Gitlab后安装11.11.x版本。不过,服务器上有Gitlab备份,所以直接回滚到最初的11.10.4版本,从头再来。
坑2:11.11.x至12.3.4提示数据库缺少字段
为了避免更新过程中reconfigure失败,编辑‘/etc/gitlab/gitlab.rb’,禁用lets encrypt:
letsencrypt['enable'] = false
但是在升级到12.3.4时,提示以下错误:
Exception: Your database is missing the 'parent_id' column from the 'epics' table that is present for GitLab EE.
Even though it looks like you're running a CE installation, it appears
you may have installed GitLab EE at some point. To migrate to GitLab 12.0:
1. Install GitLab 11.11.3 EE
2. Install GitLab 12.0.x CE
因为从没用过Gitlab EE版本,而且是从11.11.8 CE回退到11.11.3 EE,所以这个提示很莫名奇妙。基于这个讨论中的信息,加上有备份,所以还是试了试。
同时参考官方的建议更新顺序,先升到12.0.2后。
总结
- 升级前一定要:备份!备份!备份!
- 关闭‘/etc/gitlab/gitlab.rb’中的Lets Encrypt开关
- 升级顺序:
11.10.4(初始版本)-> 11.11.8 CE -> 11.11.3 EE -> 12.0.2 CE -> 12.3.4 CE(20191006最新版)
- 开启Lets Encrypt开关,执行’gitlab-ctl reconfigure’更新证书
检查版本
sudo gitlab-rake gitlab:env:info