- Gitea version (or commit ref): c5887b0f28d6915e843f9ca69c42e90577122f99
- Git version: 2.7.4 (git-lfs version 1.5.5)
- Operating system: Ubuntu 16.04
- Database (use
[x]):
- [ ] PostgreSQL
- [ ] MySQL
- [x] SQLite
- Can you reproduce the bug at https://try.gitea.io:
- [ ] Yes (provide example URL)
- [ ] No
- [x] Not relevant
- Log gist:
Description
I'm trying out the new LFS support (running master). It's a fantastic addition. Thank you for it. I've noted a potential bug vs corner case:
Using a letsencrypt cert with Gitea directly serving requests (so acting as the SSL endpoint) the browser accepts the certificate as expected; however, when I try to push an LFS file I get an x509: certificate signed by unknown authority error.
I have found two work arounds:
- Force it by setting
sslverify = false. - Require verification but use Nginx as the SSL endpoint and then reverse proxy to Gitea. It appears the relevant configuration difference is ability to use the
fullchain.cerinstead of just the cert. If I try to use the full chain as theCERT_FILEin gitea the connection fails altogether.
Thanks again for all the hard work.
sciatro
All 10 comments
I have the same error. Any solution?
lucassmacedo
on 16 Jan 2019
@sciatro have given two solutions, maybe you can follow them. I think this issue is not related with Gitea and will close this. Please feel free to reopen it.
lunny
on 17 Jan 2019
I think this was more accurately categorized as a bug. Perhaps it is a bug that cannot or will not be fixed (fair enough) but a bug nevertheless. The work arounds I posted are just that - work arounds.
Alternatively, if use of a reverse proxy is the deployment expectation now (and use of that proxy to terminate ssl) then this may be better reframed as a documentation bug.
sciatro
on 18 Jan 2019
@lunny I think built-in ssl should return correctly full chain
lafriks
on 21 Jan 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 22 Mar 2019
OK so this is strange - looking at the code for autocert and acme:
https://github.com/go-gitea/gitea/blob/9ca7fcddbb4c9aba7a3f8e84f6c63b7504837bee/cmd/web.go#L88
should set TLSConfig with a certificate:
&tls.Certificate{
PrivateKey: s.key,
Certificate: s.cert,
Leaf: s.leaf,
}
Where Certificate is the full certificate and Leaf is just the local one.
So we should be sending the full certificate already?
zeripath
on 27 May 2019
s := &http.Server{
TLSConfig: m.TLSConfig(),
}
is the relevant part of an example from official golang docs (where m is the certManager). I think we could switch to that.
techknowlogick
on 27 May 2019
I can't see why that would be helpful:
func (m *Manager) TLSConfig() *tls.Config {
return &tls.Config{
GetCertificate: m.GetCertificate,
NextProtos: []string{
"h2", "http/1.1", // enable HTTP/2
acme.ALPNProto, // enable tls-alpn ACME challenges
},
}
}
If anyone has a letsencrypt running gitea could you check:
openssl s_client -showcerts -connect HOSTNAME:443
Just to ensure that it isn't returning a fullchain.
zeripath
on 27 May 2019
CLosing this issue as through testing we confirmed that the full chain is being sent. Please re-open if you continue to experience this issue.
techknowlogick
on 31 May 2019
Related issues
cookiengineer
路
3Comments
kolargol
路
3Comments
thehowl
路
3Comments
thehowl
路
3Comments
flozz
路
3Comments