Certificate issue using git from outside the network
-
I have a gitea instance hosted on a server. Push/pull to the server works on the local network. Outside the network though, I get certificate errors.
bash-5.0$ git clone https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git Cloning into 'gooby-channel'... fatal: unable to access 'https://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Access to the server from outside goes through a squid reverse proxy on the router. The server and the router have Letsencrypt certificates through ACME. HTTPS webpages work.
-
Hi,
What is the question ?
Several things to check :
Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?
Use the "-v" option to see more details.
Look in the (git) log file - client and server ....
The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?
The git server actually used this cert ?
The same question has already been asked in the past. You checked them all ?
If squid seems the issue, shut it down for the moment ?
Etc etc -
What is the question ?
How do I fix the error and get git clone/push working?
Instead of "https://gentooserver ...." shouldn't you be using the more classic "git://gentooserver ..." ?
git: wants to use port 9418. I tried adding a mapping in the squid webui. It didn't work.
bash-5.0$ git clone -v git://gentooserver.dehnel.info/gitea/nathan/gooby-channel.git Cloning into 'gooby-channel'... Looking up gentooserver.dehnel.info ... done. Connecting to gentooserver.dehnel.info (port 9418) ... fatal: unable to connect to gentooserver.dehnel.info: gentooserver.dehnel.info[0: 70.121.81.72]: errno=Connection timed out
Use the "-v" option to see more details.
Same output
Look in the (git) log file - client and server ....
I don't know what the git client log is. Google just returns "git log" command, which is something else.
gitea log for a local push:
2020/03/12 17:14:12 [I] 10.0.0.103 - - [12/Mar/2020:17:14:12 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1" 2020/03/12 17:14:24 [I] 10.0.0.103 - nathan [12/Mar/2020:17:14:23 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1" 2020/03/12 17:15:35 [I] 10.0.0.103 - - [12/Mar/2020:17:15:35 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1" 2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1" 2020/03/12 17:15:42 [I] 10.0.0.103 - - [12/Mar/2020:17:15:42 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 19 "\" \"git/2.25.1" 2020/03/12 17:15:44 [I] 10.0.0.103 - - [12/Mar/2020:17:15:44 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 401 0 "\" \"git/2.25.1" 2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "GET /nathan/gooby-channel.git/info/refs?service=git-receive-pack HTTP/1.1" 200 182 "\" \"git/2.25.1" 2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/pre-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&gitAlternativeObjectDirectories=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects&gitQuarantinePath=%2Fvar%2Flib%2Fgit%2Fgitea-repositories%2Fnathan%2Fgooby-channel.git%2F.%2Fobjects%2Fincoming-NSJKIG&prID=0 HTTP/1.1" 200 2 "\" \"GiteaServer" 2020/03/12 17:15:50 [I] [::1] - - [12/Mar/2020:17:15:50 -0500] "GET /api/internal/hook/post-receive/nathan/gooby-channel?old=f2902da7c133df383bf95bca1aef4e4c168c0a2b&new=f02d068adfd4ffd142d3ef3d203b321721bfc664&ref=refs%2Fheads%2Fmaster&userID=1&username=nathan HTTP/1.1" 200 17 "\" \"GiteaServer" 2020/03/12 17:15:50 [I] 10.0.0.103 - nathan [12/Mar/2020:17:15:50 -0500] "POST /nathan/gooby-channel.git/git-receive-pack HTTP/1.1" 200 52 "\" \"git/2.25.1"
remote push, nothing appears in the log.
The cert host name used, "gentooserver.dehnel.info", is valid for "gentooserver.dehnel.info" or *.dehnel.info ?
The domains listed in the "Domain SAN list" for the certificate are dehnel.info and *.dehnel.info
The git server actually used this cert ?
Yes, apache is configured to use this cert. I don't see how https could work otherwise.
The same question has already been asked in the past. You checked them all ?
All the answers seem to be about the CA being untrusted by the client computer, but it seems unlikely to me that LetsEncrypt would be omitted from trusted CAs? And even if it were, why does git clone work on the local network if it's a client issue?
If squid seems the issue, shut it down for the moment ?
I don't think that would be possible. I only have one IP address.
As additional context, I think I had the same error locally with gitea, until I set apache to use the "fullchain" certificate. So maybe the solution would be to set the router/proxy to use the "fullchain" certificate as well?
Thanks.
-
I you're only using the reverse proxy in order to host several sites at one IP address couldn't you just port forward 9418 to the server and use git directly for this?
Steve