Skip to content

Disable SSL cert verification when using RVM. #9

Closed
wants to merge 1 commit into from

4 participants

@jcockhren

This should mostly only be used when gitlabhq and gitlab-shell are
on the same physical machine.

Using rvm, when running ./bin/check the following error occurs:

Check GitLab API access: /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:744:in `start'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:47:in `get'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:27:in `check'
    from ./gitlab-shell/bin/check:11:in `<main>'

for some reason, solutions posted across the net (such as setting http.ca_path and http.ca_file) don't work.

@jcockhren jcockhren Disable SSL cert verification when using RVM.
This should mostly only be used when gitlabhq and gitlab-shell are
on the same phyisical machine.
846ee24
@iDevPro
iDevPro commented Feb 18, 2013

How can i use gitlabhq and gitlab-shell on one physical machine ?
may be over localhost ? or may be sockets ?

@jcockhren

gitlab-shell interfaces with gitlabhq through the API calls. Which is why the config expects a url and one of the ways it's checked. For my case gitlab is served under SSL and RVM acts funny with that.

@iDevPro
iDevPro commented Feb 18, 2013

In my case: GitlabHQ and Gitlab-Shell placed in one machine too
and i use SSL for external entrance... https://....

curl -u username:password https://git.idev.pro/itux/cardgame.git/info/refs?service=git-receive-pack
001f# service=git-receive-pack
000000760000000000000000000000000000000000000000 capabilities^{} report-status delete-refs side-band-64k quiet ofs-delta

but push -u origin master is:

git push -u origin master
Counting objects: 56, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (51/51), done.
Writing objects: 100% (56/56), 113.32 KiB, done.
Total 56 (delta 18), reused 0 (delta 0)
error: RPC failed; result=22, HTTP code = 500
fatal: The remote end hung up unexpectedly
fatal: The remote end hung up unexpectedly
Everything up-to-date

in production log (only one string when run git push -u origin master):

Started GET "/itux/cardgame.git/info/refs?service=git-receive-pack" for {IP} at 2013-02-18 12:39:57 +0700
@jcockhren

Ok. I see. I didn't understand your comment. Could you post your results from running gitlab-shell's ./bin/check ?

@iDevPro
iDevPro commented Feb 18, 2013

~/gitlab-shell]$ ./bin/check
Check GitLab API access: OK
Check directories and files:
/home/git/repositories: OK
/home/git/.ssh/authorized_keys: OK

@randx
GitLab member
randx commented Feb 19, 2013

I dont like idea of running rvm --version every time

@iDevPro
iDevPro commented Feb 22, 2013

I don't use RVM :) compile ruby from source code on FreeBSD host

but found:

* Server auth using Basic with user 'itux@idev.pro'
> GET /itux/cardgame.git/git-receive-pack HTTP/1.1
> Authorization: Basic aXR1eEBpZGV2LnBybzpSb290QVhQVHV4
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: git.idev.pro
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Date: Fri, 22 Feb 2013 15:20:47 GMT
< Server: Apache/2.2.22 (FreeBSD) DAV/2 PHP/5.4.5 Phusion_Passenger/3.0.19 mod_ssl/2.2.22 OpenSSL/0.9.8q
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.19
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache, private
< X-Request-Id: d3f9b8f1d372ad3bd1eb53784075e719
< X-Runtime: 0.307534
< X-Rack-Cache: miss
< Status: 405
< Content-Length: 18
< Content-Type: text/plain
< 
* Connection #0 to host git.idev.pro left intact
Method Not Allowed* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
@iDevPro
iDevPro commented Feb 22, 2013

Heh... initial commit can't be HTTPS :)

mbPro:CardGame itux$ git remote remove origin

mbPro:CardGame itux$ git remote add origin git@git.idev.pro:itux/cardgame.git

mbPro:CardGame itux$ git push -u origin master
Counting objects: 56, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (51/51), done.
Writing objects: 100% (56/56), 113.32 KiB, done.
Total 56 (delta 18), reused 0 (delta 0)
To git@git.idev.pro:itux/cardgame.git
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.

mbPro:CardGame itux$ cd ..
mbPro:School itux$ mkdir TEST
mbPro:School itux$ cd TEST/

mbPro:TEST itux$ git clone https://git.idev.pro/itux/cardgame.git
Cloning into 'cardgame'...
remote: Counting objects: 56, done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 56 (delta 19), reused 0 (delta 0)
Unpacking objects: 100% (56/56), done.


mbPro:TEST itux$ cd cardgame/
mbPro:cardgame itux$ touch README.md
mbPro:cardgame itux$ git add .

mbPro:cardgame itux$ git commit -m 'add readme'
[master c28a972] add readme
 0 files changed
 create mode 100644 README.md

mbPro:cardgame itux$ git push
Counting objects: 4, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 264 bytes, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
To https://git.idev.pro/itux/cardgame.git
   a879f93..c28a972  master -> master
@jcockhren

@randx I can see why you feel that way. I'll update and pull from the environment variables.

@Xylakant
Xylakant commented Mar 8, 2013

My $0.02: Disabling SSL Verification makes you vulnerable to MITM Attacks, effectively rendering SSL-Protection useless - you could just as well fall back to HTTP. It's really bad practice to do so.

@randx
GitLab member
randx commented Mar 8, 2013

I close this one

@randx randx closed this Mar 8, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.