Certificate issue using git from outside the network



  • I have a gitea instance hosted on a server. Push/pull to the server works on the local network. Outside the network though, I get certificate errors.

    bash-5.0$ git clone https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git
    Cloning into 'gooby-channel'...
    fatal: unable to access 'https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
    

    Access to the server from outside goes through a squid reverse proxy on the router. The server and the router have Letsencrypt certificates through ACME. HTTPS webpages work.



  • Hi,

    What is the question ?

    Several things to check :
    Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?
    Use the "-v" option to see more details.
    Look in the (git) log file - client and server ....
    The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?
    The git server actually used this cert ?
    The same question has already been asked in the past. You checked them all ?
    If squid seems the issue, shut it down for the moment ?
    Etc etc



  • What is the question ?

    How do I fix the error and get git clone/push working?

    Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?

    git: wants to use port 9418. I tried adding a mapping in the squid webui. It didn't work.

    bash-5.0$ git clone -v git://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git
    Cloning into 'gooby-channel'...
    Looking up gentooserver.dehnel.info ... done.
    Connecting to gentooserver.dehnel.info (port 9418) ... fatal: unable to connect to gentooserver.dehnel.info:
    gentooserver.dehnel.info[0: 70.121.81.72]: errno=Connection timed out
    
    

    Use the "-v" option to see more details.

    Same output

    Look in the (git) log file - client and server ....

    I don't know what the git client log is. Google just returns "git log" command, which is something else.

    gitea log for a local push:

    2020/03/12 17:14:12 [I] 10.0.0.103 - - [12/Mar/2020:17:14:12 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
    2020/03/12 17:14:24 [I] 10.0.0.103 - nathan [12/Mar/2020:17:14:23 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1"
    2020/03/12 17:15:35 [I] 10.0.0.103 - - [12/Mar/2020:17:15:35 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
    2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1"
    2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1"
    2020/03/12 17:15:44 [I] 10.0.0.103 - - [12/Mar/2020:17:15:44 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1"
    2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1"
    2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/pre-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&gitAlternativeObjectDirectories=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects&gitQuarantinePath=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&prID=0 HTTP/1.1" 200 2 "\" \"GiteaServer"
    2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/post-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&username=nathan HTTP/1.1" 200 17 "\" \"GiteaServer"
    2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "POST /nathan/gooby-channel.git/git-receive-pack HTTP/1.1" 200 52 "\" \"git/2.25.1"
    

    remote push, nothing appears in the log.

    The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?

    The domains listed in the "Domain SAN list" for the certificate are dehnel.info and *.dehnel.info

    The git server actually used this cert ?

    Yes, apache is configured to use this cert. I don't see how https could work otherwise.

    The same question has already been asked in the past. You checked them all ?

    All the answers seem to be about the CA being untrusted by the client computer, but it seems unlikely to me that LetsEncrypt would be omitted from trusted CAs? And even if it were, why does git clone work on the local network if it's a client issue?

    If squid seems the issue, shut it down for the moment ?

    I don't think that would be possible. I only have one IP address.

    As additional context, I think I had the same error locally with gitea, until I set apache to use the "fullchain" certificate. So maybe the solution would be to set the router/proxy to use the "fullchain" certificate as well?

    Thanks.


  • Netgate Administrator

    I you're only using the reverse proxy in order to host several sites at one IP address couldn't you just port forward 9418 to the server and use git directly for this?

    Steve


Log in to reply