-
-
Notifications
You must be signed in to change notification settings - Fork 390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System SSL certificates aren't used #1025
Comments
Off the top of my head there are two things you can try:
|
where is the company's certificate installed? do you have custom config for it it in ~/.gitconfig ? by default, dulwich just lets urllib3 call out to certifi to find system certificates |
I have
Are you saying that in order to use system certificates with dulwich, I have to modify the code? My use-case is to use this in poetry so that I can load a git dependency from a company repository. This solution doesn't work for me. @jelmer In folder
I don't. Should I? I'm really not experienced with certificates and how to use them. I don't have anything like
And although I don't have anything set, |
Dulwich should work in situations where C Git works without further changes. It does support reading ~/.gitconfig (and I believe poetry actually triggers a read of config nowadays - see 879a144c32d61595928c9bd5a915c757a7592067) and supports both http.sslCAinfo and http.sslVerify. And it relies on urllib3 and certifi together to properly find system certificates where the user hasn't provided configuration. Does Do |
Ah, just discovered that "dulwich clone" doesn't actually load ~/.gitconfig; fix landing shortly in master. |
The first command works. The second one doesn't (
Awesome, this should hopefully fix the issue. |
@jelmer The issue isn't just with |
That unfortunately means that the core issue is caused by something deeper, in certifi. I'm reluctant to reimplement system certificate loading in Dulwich, that's really urllib3/certifi's job. :-/
This fix doesn't directly help with this bug, it just makes testing easier. It means you can set |
dulwich.porcelain.fetch as well as other APIs like dulwich.porcelain.push already pass in the config. |
Sounds like, at least in this case, dulwich using
so dulwich forcing Difficult to know what else would break of course, but perhaps the fix is simply to remove this block and let
removing that code seems like a step in the right direction so far as that goes, anyway! |
Looking over your git history it seems that at the time the So maybe it actually is reasonable just to remove |
I had a look at the background to this, since I'd paged most of that out. We were using certifi because that's what upstream recommended: 48e2ef8 (otherwise, on older urllib3 versions you don't get any verification at all) Things have moved on now though, and I agree with your suggestion - we can now just drop the call to certifi here and instead raise the minimum version of urllib3 to 1.25. |
Don't want the |
This seems to be having adverse affects where we specify an incorrect path in some cases. Fixes #1025 Increment minimum urllib3 to >= 1.25 just to be sure; not strictly necessary - we're already trying to be explicit about whether we want verification. This was originally introduced in 48e2ef8, but urllib3 now verifies certificates by default. See also https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification thanks to David Hotham for help with the archeology on this one :)
My company uses its own certificate, which I have installed on my system. Cloning a repository from our company gitlab instance works with
git
, but not withdulwich
.Log of the following script is here.
Note: I've replaced the url, project name and project namespace with placeholder values.
I've found this issue through poetry. Here's the original issue: python-poetry/poetry#6340
The text was updated successfully, but these errors were encountered: