problem to push to my local gerrit - The requested URL returned error: 403

267 views
Skip to first unread message

Demi Goldberg

unread,
Jul 1, 2015, 9:47:59 AM7/1/15
to msy...@googlegroups.com
Hi

It works fine but suddenly after upgrade git to 1.9.5 it start happend:

I got the following problem when push to my gerrit:

fatal: unable to access 'http://my_gerrit:8080/Repo1.git/': The requested URL returned error: 403

I downgrade to the old version but problem still occure.

It works find for me to the same server ,user and repo on a diffrent windows machine ?

Any idea how to fix on my local machine ?

Please help.

Johannes Schindelin

unread,
Jul 1, 2015, 10:07:50 AM7/1/15
to Demi Goldberg, msy...@googlegroups.com
Hi Demi,

On 2015-07-01 15:47, Demi Goldberg wrote:

> fatal: unable to access 'http://my_gerrit:8080/Repo1.git/': The
> requested
> URL returned error: 403

Sounds like credentials are required: `git push
http://username:password@my_gerrit:8080/Repo1.git/`

Ciao,
Johannes

Demi Goldberg

unread,
Jul 1, 2015, 11:30:10 AM7/1/15
to msy...@googlegroups.com
Hi

It is not a credential issue as I run the same commands on a diffrent machine

see the output:

C:\Git\Gerrit-Repo1>git push http:/my_gerrit:8080/Repo1.git HEAD:refs/for/master
Username for 'http://my_gerrit:8080': my_user
Password for 'http://my_user@my_gerrit:8080':
fatal: unable to access 'http://my_gerrit:8080/Repo1.git/': The requested URL returned error: 403

Konstantin Khomoutov

unread,
Jul 1, 2015, 11:45:11 AM7/1/15
to Demi Goldberg, msy...@googlegroups.com
On Wed, 1 Jul 2015 08:30:10 -0700 (PDT)
Demi Goldberg <demi.g...@gmail.com> wrote:

> It is not a credential issue as I run the same commands on a diffrent
> machine
>
> see the output:
>
> C:\Git\Gerrit-Repo1>git push http:/my_gerrit:8080/Repo1.git
> HEAD:refs/for/master
> Username for 'http://my_gerrit:8080': my_user
> Password for 'http://my_user@my_gerrit:8080':
> fatal: unable to access 'http://my_gerrit:8080/Repo1.git/': The
> requested URL returned error: 403

Are you able to trace the network traffic to my_gerrit:8080 using
Wireshark? The idea is to see whether authentication succeeded at all.
You might also try exporting GIT_CURL_VERBOSE=1 before running your
command to make libcURL, which Git uses for accessing HTTP[S]-enabled
servers, output some debug information as it works.

Demi Goldberg

unread,
Jul 5, 2015, 9:19:32 AM7/5/15
to msy...@googlegroups.com, demi.g...@gmail.com
Hi

here is the out put it looks the error is :
Couldn't find host my_gerrit in the _netrc file; using defaults

any idea ?

#############################################################


* Connection #0 to host my_gerrit left intact
Username for 'http://my_gerrit:8080': my_user
Password for 'http://my_user@my_gerrit:8080':
* Couldn't find host my_gerrit in the _netrc file; using defaults
* Found bundle for host my_gerrit: 0x73a260
* Hostname my_gerrit was found in DNS cache
*   Trying 192.168.20.31...
* Connected to my_gerrit (192.168.20.31) port 8080 (#1)
> GET /Repo1.git/info/refs?service=git-receive-pack HTTP/1.1
User-Agent: git/1.9.5.msysgit.1
Host: my_gerrit:8080
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Date: Sun, 05 Jul 2015 13:02:46 GMT
< Pragma: no-cache
* Ignoring duplicate digest auth header.
< WWW-Authenticate: Digest realm="Gerrit Code Review", domain="http://my_gerrit.sirinmobile.local:8080/", qop="auth", nonce="fgxgVG8SwmXKCBXJMkJM1INJ5
fygcvg5HEqQw==$"
< Content-Type: text/plain; charset=ISO-8859-1
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Content-Length: 12
<
* Ignoring the response-body
* Connection #1 to host my_gerrit left intact
* Couldn't find host my_gerrit in the _netrc file; using defaults
* Found bundle for host my_gerrit: 0x73a260
* Re-using existing connection! (#1) with host my_gerrit
* Connected to my_gerrit (192.168.20.31) port 8080 (#1)
* Server auth using Digest with user 'my_user'
> GET /Repo1.git/info/refs?service=git-receive-pack HTTP/1.1
Authorization: Digest username="my_user",realm="",nonce="6HqKHPlkKDGcJ9W6heFSPRarWXXOM7pwXtb+Qw==$",uri="/Repo1.git/info/refs?service=git-receive-pack"
cnonce="7a0ec2f906d588f7ceb78266092e80b4",nc=00000001,response="d1251c92d0450b1218b95418f38b9a08",qop="auth"
User-Agent: git/1.9.5.msysgit.1
Host: my_gerrit:8080
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 403 Forbidden
< Date: Sun, 05 Jul 2015 13:02:46 GMT
< Content-Type: text/plain; charset=ISO-8859-1
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Content-Length: 9
<
* Connection #1 to host my_gerrit left intact

Demi Goldberg

unread,
Jul 7, 2015, 3:32:13 AM7/7/15
to msy...@googlegroups.com

Any help with this issue ?
Any idea what is the file _netrc file;?

Konstantin Khomoutov

unread,
Jul 7, 2015, 6:30:40 AM7/7/15
to Demi Goldberg, msy...@googlegroups.com
On Sun, 5 Jul 2015 06:19:31 -0700 (PDT)
Demi Goldberg <demi.g...@gmail.com> wrote:

> here is the out put it looks the error is :
> Couldn't find host my_gerrit in the _netrc file; using defaults

To me, this doesn't look like an error and/or the root cause for your
problem: you can read about how libCURL uses ~/.netrc (or
%USERPROFILE%\_netrc on Windows -- hece in Git for Windows) in [1]
and [2] (search for ".netrc" in both places) -- you'll see that this
file is not needed.

On the other hand... do the box on which your push works OK actually
*have* the _netrc file? May be the information in it somehow makes
that other Git instance authenticate OK?

> any idea ?

Well, the only think I don't really understand from the log output you
cited is why the client lists the "nonce" parameter in its debug
printout when only the server sends nonce and the client sends
"cnonce" ("client's nonce").

The Digest HTTP authentication is detailed in RFC 2617 [3], and what I
fail to understand is written below -- inline.

[...]
> > GET /Repo1.git/info/refs?service=git-receive-pack HTTP/1.1

OK, the client sends its request.

[...]

> < HTTP/1.1 401 Unauthorized
> < Date: Sun, 05 Jul 2015 13:02:46 GMT
> < Pragma: no-cache
> * Ignoring duplicate digest auth header.
> < WWW-Authenticate: Digest realm="Gerrit Code Review",
> domain="http://my_gerrit.sirinmobile.local:8080/", qop="auth",
> nonce="fgxgVG8SwmXKCBXJMkJM1INJ5
> fygcvg5HEqQw==$"

The server sends back 401, tells the client it supports Digest auth,
and tells the client its nonce parameter, which is
"fgxgVG8SwmXKCBXJMkJM1INJ5fygcvg5HEqQw==$".

[...]
> > GET /Repo1.git/info/refs?service=git-receive-pack HTTP/1.1

The client re-tries its request, attaching its authentication response:

> Authorization: Digest
> username="my_user",realm="",nonce="6HqKHPlkKDGcJ9W6heFSPRarWXXOM7pwXtb
> +Qw==$",uri="/Repo1.git/info/refs?service=git-receive-pack"
> cnonce="7a0ec2f906d588f7ceb78266092e80b4",
> nc=00000001,response="d1251c92d0450b1218b95418f38b9a08",qop="auth"

What I don't get about this is why there's this "nonce" parameter
and why it's different from the server's.

[...]
> < HTTP/1.1 403 Forbidden

The server forbids our request.

TL;DR

I'm not an expert on RFC 2617, and Digets auth is of the
challenge-response type so one can't just decode it and see whether the
client's credentials has been sent correctly -- simply because they are
not sent over the wire as the client merely proves it knows the
correct passphrase.

I don't know where to go from there to be honest.
If possible, I'd start with looking at the logs on the Gerrit's side.

Also trying direct curl call may be

[...]

1. http://curl.haxx.se/docs/manual.html
2. http://curl.haxx.se/docs/manpage.html
3. http://tools.ietf.org/html/rfc2617
Reply all
Reply to author
Forward
0 new messages