[SOLVED] Clone over https fails certificate verification

I have Gitea running nicely on my vps behind an nginx reverse proxy using https and letsencrypt certs. I have cloning via ssh working.

I also have Gitea running on a home server and want to set up mirrors of the repos on the vps. I’d like that to work via https rather than http. I generated certs set up gitea.ini for https and got nice https clone uris generated in the ui.
But trying to use them gives an error:

git clone https://gitea.example.com:3000/myuser/myrepo.git         
Cloning into 'myrepo'...
fatal: unable to access 'https://gitea.example.com:3000/myuser/myrepo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

This seems to be due to the self generated certs. One solution is to disable cert verification on the client, seems icky though. Another is to add the CA to the client so it accepts the key, would need done for each client machine…

So I’m wondering if anyone has https cloning setup using certs from letsencrypt or wherever and how you went about it.

Found a possible workaround, can now clone via https as git user on my home server - still an issue with gitea not being able to read the cert file though. More detail later.

Success.

Two steps required. First capture the CA cert from the remote gitea server to the git users account on the second gitea server, second tell git to use that CA cert when accessing the remote repos.

Capture:

ssh myhome.server
sudo su git
cd /home/git
mkdir cacerts
echo -n | openssl s_client -showcerts -connect gitea.example.com:3000 \
  2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts/cert.pem

Configure gitconfig:

git config --global http."https://gitea.example.com:3000/".sslCAInfo /home/git/cacerts/cert.pem

I would need to run these commands on any other client I wanted to do checkouts via https - but checkout via ssh is easier so why bother :slight_smile:

Two helpful posts that helped me figure this out:
Configure git to accept a self signed cert and Adding a self signed cert

1 Like

I’m an admirer of your Hugo work and see you’re working on self-hosting with a mirror to a Gitea VPS which is one step further than I thought to take my hosting. Could you indulge us a little in your choice of hardware and software stack for hosting on your home server?

I think you may have it back to front, I’m self-hosting on a cloud VPS and setting up mirrors on my home server. The home server is an old HP Microserver N40L I bought second hand and use for backups, media serving etc. I run Ubuntu server on both. But it’s not like Gitea has heavy hardware requirements.

I really need to rebuild Hugo Web Starter so it’ll run on the VPS. Then I could push to git and have auto-build and deploy (via gitea, although standard git hooks would work too).

1 Like

Heads up bep plans to add Sass support in the next version of Hugo with the ability to shell out to PostCSS for autoprefixing (not yet set in stone). As such, it may indeed be time to update your excellent starter. If you can get it running on ARM under Docker I think the world would be a better place as a result. :slight_smile:

https://github.com/resin-io-library/base-images/tree/master/node/armhf