I have a hosted Git repo on my company intranet. I can clone, pull, push, etc successfully with command line Git by disabling sslverify. I know this is not ideal but I have no control over our certificate or IT infrastructure so it is what it is.
I paid for GitLab EE, setup the omnibus package and I'm trying to clone the repo via https. However I get an error that it cannot verify the SSL certificate. This is not entirely unexpected but I cannot figure out how to bypass the ssl verification with GitLab EE. In the http settings I set self verified to true and pointed it to my .pem in /etc/gitlab/ssl but I get the same error.
Can I just set sslverify to false like I did command line git?
Since GitLab fails to pull from a Repo because the certificate check failed, you can set git specific settings in your /etc/gitlab/gitlab.rb. There is a key called omnibus_gitconfig['system'] there your config should be something like:
omnibus_gitconfig['system'] = { "http" => ["sslVerify = false"]}
This is bad practice and you should use it with caution.
You could specify the domain to disable certificate checks for with:
omnibus_gitconfig['system'] = { "http \"https://example.com\"" => ["sslVerify = false"]}
You can define it in omnibus configuration package like Fairy says.
Or you can use int a git bash command :
git config --global sslVerify false
This will disable the HTTPS verification of current repository
Related
I am trying to create a GitHub action that runs on a windows server self-hosted runner and I'm stuck on my checkout failing at the LFS download portion
I'm using
- uses: actions/checkout#v3
with:
lfs: true
The checkout for the normal code works fine, but when it gets to the LFS download step I get a lot of messages complaining about x509: certificate signed by unknown authority.
LFS: Get "https://github-cloud.githubusercontent.com/alambic/details_changed_to_protect_the_innocent": x509: certificate signed by unknown authority
The self-hosted runner is on a domain that is behind a firewall that interrogates https traffic and inserts its own certificate into the chain, so I'm guessing that the unknown authority is that certificate, but I don't know where that certificate needs to be trusted so that things work.
The certificate is trusted by the OS and is installed in the certificate store through a group policy, but it seems that git LFS is verifying the certificate chain separate from that and complains anyway because the certificate is unexpected.
A common solution I've seen floating around for things like this is just turn off SSL checking, but that feels like just a temporary hack and not a real solution. I would like for this to work with all security in place.
As an additional note, this is running on a server that is also running TeamCity, and the TeamCity GitHub config is able to clone repos with LFS from that same server, so these problems are just inside of the GitHub action runner environment that gets set up.
Since the firewall only inserts its certificate into https traffic, I was able to get things working using an ssh-key. I added the private key as a secret and the public key to the repo's deploy keys, and now everything is working as expected.
- uses: actions/checkout#v3
with:
lfs: true
ssh-key: ${{secrets.repo_ssh}}
I used JGIT to clone a repo from bitbucket using HTTPS method which worked fine.
But I am trying to do is do a git pull from command Line from the cloned repo. When this is done i am getting fatal: unable to access 'https://cedt-icg-bitbucket.********.git/': SSL certificate problem: self signed certificate in certificate chain
I don't want to use the suggested git -c http.sslVerify=false to solve as its not safe as its a private repo.
Any suggestions? please
Everything was working fine from months I was able to clone/fetch/push/pull from my Gitlab repo on my mac:
Suddenly started to get this error on mac:
When I run the command:
git fetch "repo_link" I get the following error
unable to access : SSL peer handshake failed, the server most likely requires a client certificate to connect.
git config http.sslVerify false is already set.
Even if try to fetch/push/pull from Android studio getting the same error.
Tried clone/fetch on another mac it's working fine.
Please help.
It worked for me by using SSL instead of HTTPS.
I simply added another remote repo using the following command
git remote add org git#gitlab.com:***/***.git
Replace *** with your SSH path details
Then add an SSH to your GitLab account from here
To add an SSH key you need to generate one or use an existing key.
Once the key has been added to your GitLab account you can try
git push -u org master
Try to enable the sslVerify
locally at repo git config http.sslVerify true or globally git config --global http.sslVerify true
When I run something like:
git clone https://gitlab.mydoman.com/test.git
from part of the clients, I get the error:
Peer's Certificate issuer is not recognized
I saw 2 main solution:
1. User can set
export GIT_SSL_NO_VERIFY=true
2. to install root certificates
I would like to solve the problem to all the users.
I did not understood how to install the root certificate and where I configure Gitlab to use it. Is there url to clear instruction?
Thanks.
On a windows machine how do I run serverless deploy from behind a proxy using a cafile?
I am able to install serverless but when I run serverless deploy I get the following error:
Serverless: Injecting required Python packages to package...
Serverless: Recoverable error occurred (unable to get local issuer certificate), sleeping for 5 seconds. Try 1 of 4
I have tried the following solutions, suggested from this issue page, with no benefit:
set environment variable cafile to a path containing my pem file
set environment variable ca to the contents of my pem file
set environment variable NODE_TLS_REJECT_UNAUTHORIZED=0
npm config set cafile = "/path/to/my/cert"
npm config set strict-ssl = false
Try to set default *nix proxy environment variables:
http-proxy and
https-proxy
in the form: http(s)://username:password#proxy.address:proxy_port.
If it is a secure proxy that you use, it might be the proxy certificate or certificate's CA that you need to set as cafile.