Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

certificate and other errors when cloning over https and ssh #1212

Closed
robinpaulson opened this issue Apr 17, 2015 · 13 comments
Closed

certificate and other errors when cloning over https and ssh #1212

robinpaulson opened this issue Apr 17, 2015 · 13 comments

Comments

@robinpaulson
Copy link

@robinpaulson robinpaulson commented Apr 17, 2015

hi, i am trying to clone a repo via https, and get the following error:

fatal: unable to access 'https://mydomain:8080/user/repo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

i am using a certificate signed by startcom, not self-signed. i can access everything fine via the browser, but not with git on the command-line. i wonder if it is asking for the ca.pem file which startcom provided, but there is no directive in app.ini to specify it? i'm not sure if this is a problem with gogs, apache or git.
this is gogs v 0.6.1.0325 Beta
ubuntu 12.04
git v 1.9.1
the gogs error logs print nothing interesting at the time i do this

@robinpaulson

This comment has been minimized.

Copy link
Author

@robinpaulson robinpaulson commented Apr 17, 2015

Also, I cannot clone via ssh using the details supplied in gogs, i am asked for the password for user "gogs":
ssh://gogs@[domain]:[port]/[user]/[repo].git

when i enter the password (why is authentication needed, i was expecting github-style unauthenticated ssh read access?), i get:
fatal: '/[user]/[repo].git' does not appear to be a git repository
fatal: Could not read from remote repository.

in app.ini, the relevant settings are:
ROOT = /home/gogs/gogs-repositories
DOMAIN = [domain.org]
ROOT_URL = https://[domain.org]:8080/
HTTP_ADDR =
HTTP_PORT = 8080
SSH_PORT = [ssh port]

@robinpaulson robinpaulson changed the title certificate errors when cloning over https certificate and other errors when cloning over https and ssh Apr 17, 2015
@robinpaulson

This comment has been minimized.

Copy link
Author

@robinpaulson robinpaulson commented Apr 21, 2015

So, I did some digging, and the error isn't with my apache config, or git, but with gogs not providing a directive for the certificate provider's intermediate certificate. This looks simple to fix.

@okket

This comment has been minimized.

Copy link

@okket okket commented Apr 21, 2015

Just:

cat your-certificate.crt sub.class1.server.ca.pem > your-certificate-chained.crt

And use this instead of your plain certificate.

@unknwon

This comment has been minimized.

Copy link
Member

@unknwon unknwon commented Aug 1, 2015

Thanks your feedback!

For your first problem, Gogs uses standard way to start a HTTPS with TLS, if something can't go right with it, it may a issue with Go itself, or your CA isn't really right somehow as @okket showed.

For the second problem, I think your SSH auth key file in your server has been manually added your SSH key before you add it to Gogs. Gogs needs to completely occupy this file, so use another user to run Gogs should be the solution.

Hope helps!

@step-ani-motion

This comment has been minimized.

Copy link

@step-ani-motion step-ani-motion commented Sep 15, 2015

Regarding the clone issue, we just had the same symptoms and I think I can give some more insight here.

Basically, the generated authorized_keys file of the gogs-user gets generated wrong. Instead of just putting the key into the file, some command line parameters are also witten just before the key in question.

Here's what the authorized_keys file looks like on our machine after adding a key via the web interface:

command="/opt/gogs/gogs serv key-2 --config='/opt/gogs/custom/conf/app.ini'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [ssh-key]

instead of:

[ssh-key]

When I remove the extra garbage before the actual key manually, everything works fine.
We are using the packager.io builds on Debian Jessie.

Hope that helps

@tboerger

This comment has been minimized.

Copy link
Contributor

@tboerger tboerger commented Sep 15, 2015

@step-ani-motion no, that doesn't really help as the generated command is totally ok pasted by you.

@unknwon

This comment has been minimized.

Copy link
Member

@unknwon unknwon commented Sep 15, 2015

@step-ani-motion thanks your info!

But if what you did solved your problem, then you're doing something else wrong.

@step-ani-motion

This comment has been minimized.

Copy link

@step-ani-motion step-ani-motion commented Sep 16, 2015

@tboerger, @unknwon thanks for the feedback.

You are right, of course :).
I just realized we had wrong DOMAIN- nad ROOT_URL settings in custom/conf/app.ini.
After fixing that, everything seems fine with our installation.

Sorry for the noise!

@unknwon

This comment has been minimized.

Copy link
Member

@unknwon unknwon commented Sep 16, 2015

@step-ani-motion no problem.

@unknwon unknwon added this to the 0.7.5 milestone Sep 16, 2015
@unknwon unknwon removed this from the 0.7.5 milestone Oct 24, 2015
@unknwon

This comment has been minimized.

Copy link
Member

@unknwon unknwon commented Oct 24, 2015

Close for now but open for continuing discussion.

@unknwon unknwon closed this Oct 24, 2015
@juusechec

This comment has been minimized.

Copy link

@juusechec juusechec commented May 7, 2017

Hello I had the same error and y discover the warnings with https://www.sslshopper.com/ssl-checker.html
Errors given with git clone was:

jorge@ulises:~/workspace> git clone https://mydomain.io:3000/desarrollo/myrepo
Cloning into 'myrepo'...
fatal: unable to access 'https://mydomain.io:3000/desarrollo/myrepo/': SSL certificate problem: unable to get local issuer certificate

Errors given with curl:

jorge@ulises:~/workspace> curl https://mydomain.io:3000
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

For Let's Encrypt SSL cert (http://letsencrypt.org/) solution, I use in config file:

CERT_FILE = custom/conf/mydomain-chain-crt.pem
KEY_FILE = custom/conf/mydomain-key.pem

Instead of

CERT_FILE = custom/conf/mydomain-chain.pem
KEY_FILE = custom/conf/mydomain-key.pem
@egberts

This comment has been minimized.

Copy link

@egberts egberts commented Nov 3, 2019

I fixed the exact same error by discovering it was a file permission error using strace -f.

For example, strace -f curl https://github.com/drwetter/testssl.sh.git/

stat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0"..., 4096) = 127
lseek(4, -71, SEEK_CUR)                 = 56
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0"..., 4096) = 71
close(4)                                = 0
stat("/etc/ssl/certs/244b5494.0", 0x7ffe24199b20) = -1 EACCES (Permission denied)
stat("/etc/ssl/certs/244b5494.0", 0x7ffe24199b20) = -1 EACCES (Permission denied)
write(3, "\25\3\3\0\2\0020", 7)         = 7
close(3)            

I noticed the 'Permission denied' and prompt fixed the file permission settings to /etc/ssl/certs.

chmod a+rx /etc/ssl/certs
chmod a+r /etc/ssl/certs/*

Happy as a clam now.

@robinpaulson

This comment has been minimized.

Copy link
Author

@robinpaulson robinpaulson commented Nov 5, 2019

Marvellous, cheers all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.