Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate issue using git from outside the network

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 353 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gooberpatrol66
      last edited by

      I have a gitea instance hosted on a server. Push/pull to the server works on the local network. Outside the network though, I get certificate errors.

      bash-5.0$ git clone https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git
      Cloning into 'gooby-channel'...
      fatal: unable to access 'https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
      

      Access to the server from outside goes through a squid reverse proxy on the router. The server and the router have Letsencrypt certificates through ACME. HTTPS webpages work.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        What is the question ?

        Several things to check :
        Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?
        Use the "-v" option to see more details.
        Look in the (git) log file - client and server ....
        The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?
        The git server actually used this cert ?
        The same question has already been asked in the past. You checked them all ?
        If squid seems the issue, shut it down for the moment ?
        Etc etc

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • G
          Gooberpatrol66
          last edited by

          What is the question ?

          How do I fix the error and get git clone/push working?

          Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?

          git: wants to use port 9418. I tried adding a mapping in the squid webui. It didn't work.

          bash-5.0$ git clone -v git://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git
          Cloning into 'gooby-channel'...
          Looking up gentooserver.dehnel.info ... done.
          Connecting to gentooserver.dehnel.info (port 9418) ... fatal: unable to connect to gentooserver.dehnel.info:
          gentooserver.dehnel.info[0: 70.121.81.72]: errno=Connection timed out
          
          

          Use the "-v" option to see more details.

          Same output

          Look in the (git) log file - client and server ....

          I don't know what the git client log is. Google just returns "git log" command, which is something else.

          gitea log for a local push:

          2020/03/12 17:14:12 [I] 10.0.0.103 - - [12/Mar/2020:17:14:12 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
          2020/03/12 17:14:24 [I] 10.0.0.103 - nathan [12/Mar/2020:17:14:23 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1"
          2020/03/12 17:15:35 [I] 10.0.0.103 - - [12/Mar/2020:17:15:35 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
          2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1"
          2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1"
          2020/03/12 17:15:44 [I] 10.0.0.103 - - [12/Mar/2020:17:15:44 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
          2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1"
          2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/pre-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&gitAlternativeObjectDirectories=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects&gitQuarantinePath=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&prID=0 HTTP/1.1" 200 2 "\" \"GiteaServer"
          2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/post-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&username=nathan HTTP/1.1" 200 17 "\" \"GiteaServer"
          2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "POST /nathan/gooby-channel.git/git-receive-pack HTTP/1.1" 200 52 "\" \"git/2.25.1"
          

          remote push, nothing appears in the log.

          The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?

          The domains listed in the "Domain SAN list" for the certificate are dehnel.info and *.dehnel.info

          The git server actually used this cert ?

          Yes, apache is configured to use this cert. I don't see how https could work otherwise.

          The same question has already been asked in the past. You checked them all ?

          All the answers seem to be about the CA being untrusted by the client computer, but it seems unlikely to me that LetsEncrypt would be omitted from trusted CAs? And even if it were, why does git clone work on the local network if it's a client issue?

          If squid seems the issue, shut it down for the moment ?

          I don't think that would be possible. I only have one IP address.

          As additional context, I think I had the same error locally with gitea, until I set apache to use the "fullchain" certificate. So maybe the solution would be to set the router/proxy to use the "fullchain" certificate as well?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I you're only using the reverse proxy in order to host several sites at one IP address couldn't you just port forward 9418 to the server and use git directly for this?

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.