Skip to content

Allow ACME challenge over HTTPS

Filipe Santos requested to merge acme-challenge-https into master

What does this MR do?

Updates the NGINX config to locally resolve /.well-known/acme-challenge/* over HTTPS when Letsencrypt is enabled.

This allows the HTTP-01 challenge to succeed in cases where there are automatic HTTPS redirects at CDN level. It also restricts the existing HTTP location matcher to /.well-known/acme-challenge/*, as the application itself uses a few endpoints there:

/.well-known/openid-configuration
/.well-known/webfinger
/.well-known/terraform.json
  • Before
Letsencrypt -> HTTP -> CDN Redirect -> HTTPS -> App Redirect -> `/users/sign_in`
  • After
Letsencrypt -> HTTP -> CDN Redirect -> HTTPS -> `/.well-known/acme-challenge/...`

Related issues

https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/13416

We enforce HTTPS at Cloudflare with Always Use HTTPS, this prevents us from adding an exception for a single path/URL.

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by Filipe Santos

Merge request reports

Loading