#1666: git does not trust new SSL certs
---------------------------+----------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords: ssl, git
---------------------------+----------------------
Attempts to git-push via https://git.osgeo.org/ result in :
{{{
fatal: unable to access
'https://git.osgeo.org/gogs/rttopo/librttopo.git/':
server certificate verification failed.
CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none
}}}
This started since the new SSL certificates were deployed.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
According to http://stackoverflow.com/a/16577227 there's a possibility
that the intermediate cert file might benefit from a reordering, to work
around a GnuTLS bug.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
The error occurs to me by just running:
{{{
git clone https://git.osgeo.org/gogs/rttopo/librttopo.git
}}}
But only with git versions 1.7.10.4 and 1.9.1,
whereas git version 2.1.4 did not raise the error.
Maybe newer versions are not using GnuTLS (or are using a newer version of
it)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
I confirm reordering the contents of /etc/ssl/osgeo/ca-bundle-client.crt
fixed the issue.
Now I guess all other machines should be updated.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by martin):
Indeed, the CA certificate chain ordering as delivered by the CA is
'unfortunate' (uncommon),
Martin.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
Can anyone take care of copying the reordered chain from
git.osgeo.org to other machines ? I don't have sudo on the
required ones
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
Alex: was the copy over taken care of ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by wildintellect):
I didn't do it, seemed a minor issue outside of the git service... also
didn't want to rush in the event we decided to change certs again...
Someone else is welcome to do this fix too.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:7>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
It looks like it was decided not to change certs again, so for the next 3
years we keep these. As it's not been easy to spot, it'd be nice to not
hit this bug again in the future, if we decide to open more git services
via https on other machines...
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:8>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl, git |
---------------------------+--------------------
Comment (by strk):
Martin, did you spread the change onto other machines ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:9>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1666: git does not trust new SSL certs
---------------------------+---------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: ssl, git |
---------------------------+---------------------
Changes (by strk):
* status: new => closed
* resolution: => fixed
Comment:
closing for lack of feedback, and assuming fixed.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1666#comment:10>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.