gitea keys fails: Forbidden attempt to access internal url

[rmsc]

Gitea Version

1.15.6-rootless

Git Version

No response

Operating System

No response

How are you running Gitea?

I'm running the "gitea:1.15.6-rootless" docker image under rootless podman.

Database

MySQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/rmsc/b4bcdec9ee84cd67a2ed2f1870ce73d2

Description

I'm using gitea keys in an AuthorizedKeysCommand. It used to work in at least in version 1.15.4, but is not working anymore, and is failing with a weird error:

$ sudo -u git /usr/bin/podman exec -it gitea-app /usr/local/bin/gitea keys -u git -t ed_25519 -k <REDACTED>
2021/10/30 22:02:52 main.go:117:main() [F] Failed to run app with [/usr/local/bin/gitea keys -u git -t ed_25519 -k <REDACTED>]: Failed to update public key: readObjectStart: expect { or n, but found F, error found in #1 byte of ...|Forbidden
	|..., bigger context ...|Forbidden
	|...

The error happens regardless of whether the key is correct or not. The server log reports a Forbidden attempt to access internal url, as per the provided log gist.

Screenshots

No response

EDIT: I'm not so sure I was using the rootless version of 1.15.4 when it worked.

[zeripath]

$ sudo -u git /usr/bin/podman exec -it gitea-app /usr/local/bin/gitea keys -c /path/to/app.ini -u git -t ed_25519 -k <REDACTED>

[rmsc]

That did help, thanks! Now I get:

$ sudo -u git /usr/bin/podman exec -it gitea-app /usr/local/bin/gitea keys -c /etc/gitea/app.ini -u git -t ed_25519 -k <REDACTED>
2021/10/31 07:52:12 main.go:117:main() [F] Failed to run app with [/usr/local/bin/gitea keys -c /etc/gitea/app.ini -u git -t ed_25519 -k <REDACTED>]: Failed to update public key: public key does not exist [id: 0]

2021/10/31 07:52:12 Started POST /api/internal/ssh/authorized_keys for [::1]:51002
2021/10/31 07:52:12 Completed POST /api/internal/ssh/authorized_keys 500 Internal Server Error in 991.758µs

The key does exist.

One thing that is weird is that there are 3 config files in the system:

• /etc/gitea/app.ini containing the main configuration
• /etc/gitea/conf/app.ini containing the INTERNAL_TOKEN
• /var/lib/gitea/custom/conf/app.ini also containing the INTERNAL_TOKEN

I would expect the main config to sit in /etc/gitea/conf/app.ini so that it's picked up by the cli. Any reason why that isn't the case?

[rmsc]

My bad, the key type I was entering was wrong. It should have been -t ssh-ed25519 instead of -t ed_25519. Now AuthorizedKeysCommand works fine. Thanks!

Now regarding the config files, I did a clean install on a new VM, and now the only configuration file is /etc/gitea/app.ini. Any reason for that location rather than /etc/gitea/conf/app.ini?

[zeripath]

OK I think it's time we start compiling the docker build with the appropriate linker commands so that gitea just looks in the right places without having to use -c

[rmsc]

@zeripath that would be great!