Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Disable SSL cert verification when using RVM. #9

Closed
wants to merge 1 commit into from

4 participants

@jcockhren

This should mostly only be used when gitlabhq and gitlab-shell are
on the same physical machine.

Using rvm, when running ./bin/check the following error occurs:

Check GitLab API access: /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
    from /home/git/.rvm/rubies/ruby-1.9.3-p385/lib/ruby/1.9.1/net/http.rb:744:in `start'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:47:in `get'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:27:in `check'
    from ./gitlab-shell/bin/check:11:in `<main>'

for some reason, solutions posted across the net (such as setting http.ca_path and http.ca_file) don't work.

@jcockhren jcockhren Disable SSL cert verification when using RVM.
This should mostly only be used when gitlabhq and gitlab-shell are
on the same phyisical machine.
846ee24
@iDevPro

How can i use gitlabhq and gitlab-shell on one physical machine ?
may be over localhost ? or may be sockets ?

@jcockhren

gitlab-shell interfaces with gitlabhq through the API calls. Which is why the config expects a url and one of the ways it's checked. For my case gitlab is served under SSL and RVM acts funny with that.

@iDevPro

In my case: GitlabHQ and Gitlab-Shell placed in one machine too
and i use SSL for external entrance... https://....

curl -u username:password https://git.idev.pro/itux/cardgame.git/info/refs?service=git-receive-pack
001f# service=git-receive-pack
000000760000000000000000000000000000000000000000 capabilities^{} report-status delete-refs side-band-64k quiet ofs-delta

but push -u origin master is:

git push -u origin master
Counting objects: 56, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (51/51), done.
Writing objects: 100% (56/56), 113.32 KiB, done.
Total 56 (delta 18), reused 0 (delta 0)
error: RPC failed; result=22, HTTP code = 500
fatal: The remote end hung up unexpectedly
fatal: The remote end hung up unexpectedly
Everything up-to-date

in production log (only one string when run git push -u origin master):

Started GET "/itux/cardgame.git/info/refs?service=git-receive-pack" for {IP} at 2013-02-18 12:39:57 +0700
@jcockhren

Ok. I see. I didn't understand your comment. Could you post your results from running gitlab-shell's ./bin/check ?

@iDevPro

~/gitlab-shell]$ ./bin/check
Check GitLab API access: OK
Check directories and files:
/home/git/repositories: OK
/home/git/.ssh/authorized_keys: OK

@randx
Owner

I dont like idea of running rvm --version every time

@iDevPro

I don't use RVM :) compile ruby from source code on FreeBSD host

but found:

* Server auth using Basic with user 'itux@idev.pro'
> GET /itux/cardgame.git/git-receive-pack HTTP/1.1
> Authorization: Basic aXR1eEBpZGV2LnBybzpSb290QVhQVHV4
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: git.idev.pro
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Date: Fri, 22 Feb 2013 15:20:47 GMT
< Server: Apache/2.2.22 (FreeBSD) DAV/2 PHP/5.4.5 Phusion_Passenger/3.0.19 mod_ssl/2.2.22 OpenSSL/0.9.8q
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.19
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache, private
< X-Request-Id: d3f9b8f1d372ad3bd1eb53784075e719
< X-Runtime: 0.307534
< X-Rack-Cache: miss
< Status: 405
< Content-Length: 18
< Content-Type: text/plain
< 
* Connection #0 to host git.idev.pro left intact
Method Not Allowed* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
@iDevPro

Heh... initial commit can't be HTTPS :)

mbPro:CardGame itux$ git remote remove origin

mbPro:CardGame itux$ git remote add origin git@git.idev.pro:itux/cardgame.git

mbPro:CardGame itux$ git push -u origin master
Counting objects: 56, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (51/51), done.
Writing objects: 100% (56/56), 113.32 KiB, done.
Total 56 (delta 18), reused 0 (delta 0)
To git@git.idev.pro:itux/cardgame.git
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.

mbPro:CardGame itux$ cd ..
mbPro:School itux$ mkdir TEST
mbPro:School itux$ cd TEST/

mbPro:TEST itux$ git clone https://git.idev.pro/itux/cardgame.git
Cloning into 'cardgame'...
remote: Counting objects: 56, done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 56 (delta 19), reused 0 (delta 0)
Unpacking objects: 100% (56/56), done.


mbPro:TEST itux$ cd cardgame/
mbPro:cardgame itux$ touch README.md
mbPro:cardgame itux$ git add .

mbPro:cardgame itux$ git commit -m 'add readme'
[master c28a972] add readme
 0 files changed
 create mode 100644 README.md

mbPro:cardgame itux$ git push
Counting objects: 4, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 264 bytes, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
remote: fatal: Not a git repository: '.'
To https://git.idev.pro/itux/cardgame.git
   a879f93..c28a972  master -> master
@jcockhren

@randx I can see why you feel that way. I'll update and pull from the environment variables.

@Xylakant

My $0.02: Disabling SSL Verification makes you vulnerable to MITM Attacks, effectively rendering SSL-Protection useless - you could just as well fall back to HTTP. It's really bad practice to do so.

@randx
Owner

I close this one

@randx randx closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 17, 2013
  1. @jcockhren

    Disable SSL cert verification when using RVM.

    jcockhren authored
    This should mostly only be used when gitlabhq and gitlab-shell are
    on the same phyisical machine.
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 0 deletions.
  1. +2 −0  lib/gitlab_net.rb
View
2  lib/gitlab_net.rb
@@ -36,6 +36,8 @@ def get(url)
url = URI.parse(url)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.port == 443)
+ `rvm --version`
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE if ($? && http.use_ssl?)
request = Net::HTTP::Get.new(url.request_uri)
http.start {|http| http.request(request) }
end
Something went wrong with that request. Please try again.