apache 2.4 + gitlab + letsencrypt not working

Question

I use the following config to enable letsencrypt support on all vhosts:

ProxyPass /.well-known/acme-challenge !

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
    Options None
    AllowOverride None
    ForceType text/plain
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" 
</Directory>

this works fine for all hosts (mostly php or static sites) except gitlab

I'm using this config: https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache24.conf

My guess is that this config part is a problem:

<Location />
    # New authorization commands for apache 2.4 and up
    # http://httpd.apache.org/docs/2.4/upgrading.html#access
    Require all granted

    #Allow forwarding to gitlab-workhorse
    ProxyPassReverse http://127.0.0.1:8181
    ProxyPassReverse http://YOUR_SERVER_FQDN/
  </Location>

but what is the best way to solve that?

Answer 1

I think there are two problems here:

1. The DocumentRoot is something outside of /var/www/letsencrypt
2. gitlab-workhorse is rewriting the request

The alias stuff should workaround the first problem, but this addition should allow the .well-known request to not get rewritten by GitLab. As per the comment:

#Forward all requests to gitlab-workhorse except existing files like error documents

Gitlab have already written a rule for exclusion, so we can add to it.

Add the following line before the RewriteRule

RewriteCond %{REQUEST_URI} !^.*/\.well-known/.*$ [NC]

This adds a conditional to NOT rewrite requests that contain .well-known. Restart Apache and test.