Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support internal CA or self-signed TLS certificates for all external communication #71

Open
sfllaw opened this Issue May 7, 2018 · 10 comments

Comments

Projects
None yet
5 participants
@sfllaw
Copy link
Contributor

sfllaw commented May 7, 2018

  • Issue type: Feature Request
  • Sourcegraph version: 2.7.6
  • OS Version: N/A
  • Docker version: N/A

We have a private GitHub Enterprise instance running under a self-signed private Certificate Authority. Because of this, we need to tell the Sourcegraph image about this CA, or Git will complain:

fatal: unable to access 'https://github.example.com/user/repo.git': server certificate verification failed. 

The configuration option in github.certificate is available, but it only applies to Sourcegraph, not to processes that gitserver controls. As well, since it only seems to handle server certificates and not CAs, it will have to be updated every time the GitHub Enterprise server rotates its certs.

Our workaround, which you are welcome to document, is to install the certificate in the Docker image, so the OS handles it. In a Dockerfile:

FROM sourcegraph/server:2.7.6
COPY ssl/certificate-authority.crt /usr/local/share/ca-certificates
RUN /usr/sbin/update-ca-certificates

Running this derived image makes everything work magically, because Sourcegraph also trusts the CAs provided by the OS.

@sfllaw sfllaw changed the title Adding private Certificate Authority for Git is not well documented Adding private Certificate Authority for Git (and other subprocesses) is not well documented May 7, 2018

@sqs sqs added the gitserver label Oct 25, 2018

@sqs sqs added this to the November 2018 milestone Oct 25, 2018

@sqs sqs added the plan label Oct 25, 2018

@sqs

This comment has been minimized.

Copy link
Member

sqs commented Oct 25, 2018

Tentatively scheduling for November 2018 as part of the More robust code host repository syncing feature on the roadmap.

@sqs sqs modified the milestones: November 2018, 3.0-preview, Backlog Nov 10, 2018

@sqs sqs added the repo-updater label Nov 14, 2018

@sqs

This comment has been minimized.

Copy link
Member

sqs commented Nov 14, 2018

The "More robust code host repository syncing" project was narrowed to be Handling renames and deletions of mirrored repositories. I am pushing back this issue as a result.

@sqs sqs removed the plan label Jan 29, 2019

@sqs sqs changed the title Adding private Certificate Authority for Git (and other subprocesses) is not well documented Support internal CA or self-signed TLS certificates for all external communication Mar 22, 2019

@sqs

This comment has been minimized.

Copy link
Member

sqs commented Mar 22, 2019

This issue is not yet prioritized, and it will take a lot more research/planning (which is not necessary right now). However, I updated the title in the meantime to reflect that the fix should be holistic (you should be able to specify a cert for Sourcegraph to trust in all of its HTTP calls, or at least that process should be documented), not just for GitHub or for one additional place where we make external HTTP calls.

@keegancsmith

This comment has been minimized.

Copy link
Member

keegancsmith commented Mar 24, 2019

The solution for this would likely also be a solution for specifying an HTTP_PROXY #250

@MMulero

This comment has been minimized.

Copy link

MMulero commented Apr 12, 2019

  • Issue type: Feature Request
  • Sourcegraph version: 2.7.6
  • OS Version: N/A
  • Docker version: N/A

We have a private GitHub Enterprise instance running under a self-signed private Certificate Authority. Because of this, we need to tell the Sourcegraph image about this CA, or Git will complain:

fatal: unable to access 'https://github.example.com/user/repo.git': server certificate verification failed. 

The configuration option in github.certificate is available, but it only applies to Sourcegraph, not to processes that gitserver controls. As well, since it only seems to handle server certificates and not CAs, it will have to be updated every time the GitHub Enterprise server rotates its certs.

Our workaround, which you are welcome to document, is to install the certificate in the Docker image, so the OS handles it. In a Dockerfile:

FROM sourcegraph/server:2.7.6
COPY ssl/certificate-authority.crt /usr/local/share/ca-certificates
RUN /usr/sbin/update-ca-certificates

Running this derived image makes everything work magically, because Sourcegraph also trusts the CAs provided by the OS.

I tried this solution but still I have the same issue:
sourcegraph | 12:46:24 repo-updater | t=2019-04-12T12:46:24+0000 lvl=eror msg="Error listing GitLab projects" url="projects?groups%2Fidedio%2Fprojects=&order_by=last_activity_at&per_page=100" error="Get https://git.svb.lacaixa.es/api/v4/projects?groups%2Fidedio%2Fprojects=&order_by=last_activity_at&per_page=100: dial tcp 10.144.11.112:443: connect: connection timed out"

using Curl or git from docker I am able to connect to the server. Could you provide more information about how do you configure it in sourcegraph?

@tsenart

This comment has been minimized.

Copy link
Contributor

tsenart commented Apr 12, 2019

@MMulero: If you try to reach that endpoint using curl from within the sourcegraph container, does it work?

You can exec into the container to try this out.

docker exec -it $SOURCEGRAPH_CONTAINER_NAME /bin/bash
@MMulero

This comment has been minimized.

Copy link

MMulero commented Apr 12, 2019

Yes, from docker using curl I reach the endpoint. And also I am able to download repos with git.

@tsenart

This comment has been minimized.

Copy link
Contributor

tsenart commented Apr 12, 2019

Yes, from docker using curl I reach the endpoint.

But is it from within the Sourcegraph container?

@MMulero

This comment has been minimized.

Copy link

MMulero commented Apr 12, 2019

Yes, I've installed Curl using a Dockerfile and I've checked that I've connectivity to the gitlab repository.
Additionally, I've checked the connectivity dowloading repos using git inside sourcegraph docker.

1 similar comment
@MMulero

This comment has been minimized.

Copy link

MMulero commented Apr 12, 2019

Yes, I've installed Curl using a Dockerfile and I've checked that I've connectivity to the gitlab repository.
Additionally, I've checked the connectivity dowloading repos using git inside sourcegraph docker.

@tsenart tsenart removed the gitserver label Apr 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.