Git clone over https not working after upgrade from 3.4.0 to 3.7.2

[Nagarjuna Veeraboyani]

Hi There,

We installed gerrit as part k8s pod. git clone over ssh & https used to work before upgrading to 3.7.2, now there seems to be an issue with git clone over https. 

seeing below fatal error:

git clone "https://gerrit-staging.local.xxx.com/yyy-jobs"
Cloning into 'yyy-jobs'...
fatal: unable to access 'https://gerrit-staging.local.xxx.com/yyy-jobs/': SSL: no alternative certificate subject name matches target host name 'gerrit-staging.local.xxx.com'
 

Using java version inside pod:

java --version
openjdk 11.0.16 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Ubuntu-0ubuntu118.04)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Ubuntu-0ubuntu118.04, mixed mode, sharing)

Anyone else seen this behavior ?

[Luca Milanesio]

On 15 May 2023, at 15:34, 'Nagarjuna Veeraboyani' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Hi There,

We installed gerrit as part k8s pod. git clone over ssh & https used to work before upgrading to 3.7.2, now there seems to be an issue with git clone over https. 

seeing below fatal error:

git clone "https://gerrit-staging.local.xxx.com/yyy-jobs"
Cloning into 'yyy-jobs'...
fatal: unable to access 'https://gerrit-staging.local.xxx.com/yyy-jobs/': SSL: no alternative certificate subject name matches target host name 'gerrit-staging.local.xxx.com'

I believe the above message tells you what happened:

“SSL: no alternative certificate subject name matches target host name 'gerrit-staging.local.xxx.com'"

You have an invalid certificate and the subject doesn’t match the hostname.

You need to request your company’s CA an X.509 certificate where the subject corresponds to the hostname.

HTH

Luca.

 

Using java version inside pod:

java --version
openjdk 11.0.16 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Ubuntu-0ubuntu118.04)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Ubuntu-0ubuntu118.04, mixed mode, sharing)

Anyone else seen this behavior ?

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/2693d7e7-39f1-4248-8db6-47b35524a61en%40googlegroups.com.

[Nagarjuna Veeraboyani]

Thanks for prompt response Luca,

Why did I skip the ssl verification like below seeing error: "fatal: unable to update url base from redirection:" as below.

git -c http.sslVerify=false clone "https://gerrit-staging.local.forwardnetworks.com/fwd-jenkins-jobs"
Cloning into 'fwd-jenkins-jobs'...
fatal: unable to update url base from redirection:
  asked for: https://gerrit-staging.local.xxx.com/fwd-jenkins-jobs/info/refs?service=git-upload-pack
   redirect: https://gerrit-staging.local.xx.com/login/%2Ffwd-jenkins-jobs%2Finfo%2Frefs%3Fservice%3Dgit-upload-pack

How and where can I change the ssl config?

Regards,

Nagarjuna.

[Fabio Ponciroli]

Hi Nagarjuna,

On Mon, 15 May 2023 at 18:05, 'Nagarjuna Veeraboyani' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Thanks for prompt response Luca,

Why did I skip the ssl verification like below seeing error: "fatal: unable to update url base from redirection:" as below.

git -c http.sslVerify=false clone "https://gerrit-staging.local.forwardnetworks.com/fwd-jenkins-jobs"
Cloning into 'fwd-jenkins-jobs'...
fatal: unable to update url base from redirection:
  asked for: https://gerrit-staging.local.xxx.com/fwd-jenkins-jobs/info/refs?service=git-upload-pack

 

   redirect: https://gerrit-staging.local.xx.com/login/%2Ffwd-jenkins-jobs%2Finfo%2Frefs%3Fservice%3Dgit-upload-pack

It is asking you to login here ^^

Is the repo available for anonymous users?

Can you try cloning with your user credentials?

 

How and where can I change the ssl config?

Updating your certificates has nothing to have with Gerrit. If you have a load balancer in front of your installation, for example, you will have to replace the certificates once your company’s CA will provide them to you.

Just to give you a load balancer example, here [1] one with haproxy where you can see where the certificates are stored.

HTH,

Ponch

[1]: https://www.haproxy.com/blog/restrict-api-access-with-client-certificates-mtls/#enable-client-certificate-authentication-in-haproxy

 

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/CANYP%2B8sDBka34tTzD-W%3D-ZuAGFW9P1c_8cfJnn%3Dn3YuPoSdsVg%40mail.gmail.com.

[Nagarjuna Veeraboyani]

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

Cloning into 'fwd-jenkins-jobs'...
fatal: unable to update url base from redirection:

  asked for: https://user...@gerrit-staging.local.xxx.com/fwd-jenkins-jobs/info/refs?service=git-upload-pack
   redirect: https://gerrit-staging.local.xxx.com/login/%2Ffwd-jenkins-jobs%2Finfo%2Frefs%3Fservice%3Dgit-upload-pack

What other checks can I perform here to determine the issue ?

Thanks,

Nagarjuna.

[Sven Selberg]

On Tuesday, May 16, 2023 at 2:08:54 AM UTC+2 Nagarjuna Veeraboyani wrote:

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

If Gerrit handles authentication you'll need to add an '/a/' after $FQDN/$CONTENT_PATH.
https://gerrit-review.googlesource.com/Documentation/rest-api.html#authentication

So in that case the URL should be:
gerrit-staging.local.xxx.com/a/fwd-jenkins-jobs

[Sven Selberg]

On Tuesday, May 16, 2023 at 9:01:31 AM UTC+2 Sven Selberg wrote:

On Tuesday, May 16, 2023 at 2:08:54 AM UTC+2 Nagarjuna Veeraboyani wrote:

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

If Gerrit handles authentication you'll need to add an '/a/' after $FQDN/$CONTENT_PATH.

should be "$FQDN/$CONTEXT_PATH".

[Matthias Sohn]

On Tue, May 16, 2023 at 9:36 AM Sven Selberg <sven.s...@axis.com> wrote:

On Tuesday, May 16, 2023 at 9:01:31 AM UTC+2 Sven Selberg wrote:

On Tuesday, May 16, 2023 at 2:08:54 AM UTC+2 Nagarjuna Veeraboyani wrote:

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

If Gerrit handles authentication you'll need to add an '/a/' after $FQDN/$CONTENT_PATH.

should be "$FQDN/$CONTEXT_PATH".

I think the /a prefix should go in between domain name and context path like in your example

"$FQDN/a/$CONTEXT_PATH"

 

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/bba2e19d-f52f-4247-a170-dcabf75a723dn%40googlegroups.com.

[Sven Selberg]

On Tuesday, May 16, 2023 at 9:50:59 AM UTC+2 Matthias Sohn wrote:

On Tue, May 16, 2023 at 9:36 AM Sven Selberg <sven.s...@axis.com> wrote:

On Tuesday, May 16, 2023 at 9:01:31 AM UTC+2 Sven Selberg wrote:

On Tuesday, May 16, 2023 at 2:08:54 AM UTC+2 Nagarjuna Veeraboyani wrote:

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

If Gerrit handles authentication you'll need to add an '/a/' after $FQDN/$CONTENT_PATH.

should be "$FQDN/$CONTEXT_PATH".

I think the /a prefix should go in between domain name and context path like in your example

"$FQDN/a/$CONTEXT_PATH"

We (for whatever historical reason) have a context path to our Gerrit server and the /a definitely goes after the context path.

It is Gerrit that reads the "/a" and Gerrit only serves what is under $FQDN/$CONTEXT_PATH.

$ git clone https://review.company.com/gerrit/a/my-project.git

[Matthias Sohn]

On Tue, May 16, 2023 at 10:06 AM Sven Selberg <sven.s...@axis.com> wrote:

On Tuesday, May 16, 2023 at 9:50:59 AM UTC+2 Matthias Sohn wrote:

On Tue, May 16, 2023 at 9:36 AM Sven Selberg <sven.s...@axis.com> wrote:

On Tuesday, May 16, 2023 at 9:01:31 AM UTC+2 Sven Selberg wrote:

On Tuesday, May 16, 2023 at 2:08:54 AM UTC+2 Nagarjuna Veeraboyani wrote:

Hi Fabio,

I did pass the right credentials but still getting the same login redirection error as below. 

git -c http.sslVerify=false clone "https://{username}:{pwd}@gerrit-staging.local.xxx.com/fwd-jenkins-jobs"

If Gerrit handles authentication you'll need to add an '/a/' after $FQDN/$CONTENT_PATH.

should be "$FQDN/$CONTEXT_PATH".

I think the /a prefix should go in between domain name and context path like in your example

"$FQDN/a/$CONTEXT_PATH"

We (for whatever historical reason) have a context path to our Gerrit server and the /a definitely goes after the context path.

It is Gerrit that reads the "/a" and Gerrit only serves what is under $FQDN/$CONTEXT_PATH.

$ git clone https://review.company.com/gerrit/a/my-project.git

yeah, you are right and I was wrong 

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/06ac1b3d-b258-4f96-bb27-adffd019169dn%40googlegroups.com.

[Nagarjuna Veeraboyani]

Thanks a lot Matthias,

git clone "https://username:p...@gerrit.local.xxx.com/a/fwd-jenkins-jobs" and git clone "https://x...@gerrit.local.xxx.com/a/fwd-jenkins-jobs" (gitconfig creds) worked in our case.

Regards,

Nagarjuna.

You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/2vSLvFEYO_c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/CAKSZd3Q8md7yeZ-gmeMwOhFmmOb1Z8zjBSQo5ugw8T8c6yu7hg%40mail.gmail.com.

[Matthias Sohn]

On Tue, May 16, 2023 at 6:24 PM Nagarjuna Veeraboyani <nagarjunav...@forwardnetworks.com> wrote:

Thanks a lot Matthias,

git clone "https://username:p...@gerrit.local.xxx.com/a/fwd-jenkins-jobs" and git clone "https://x...@gerrit.local.xxx.com/a/fwd-jenkins-jobs" (gitconfig creds) worked in our case.

Don't pass the password in the URL, that's insecure.

[Nagarjuna Veeraboyani]

Got it, thanks. I did it as part of a test one time.