Clone of Gitlab repository through azure pipeline showing SSL error - azure

I have been doing a git clone of a repository in Gitlab through an azure pipeline and it showed the following error:
2020-08-13T11:23:42.2930076Z ##[warning]Git fetch failed with exit code 128, back off 6.913 seconds before retry.
2020-08-13T11:23:49.1339276Z ##[command]git fetch --force --tags --prune --progress --no-recurse-submodules --depth=2 origin
2020-08-13T11:23:49.3214993Z fatal: unable to access 'https://*****/gitlab/****/web.git/': SSL certificate problem: unable to get local issuer certificate
How could I resolve this issue?

SSL certificate problem: unable to get local issuer
From the error log, this problem often occurs when using self-hosted agent.
This error occurs when a self-signed certificate cannot be verified.
You could running the following script on your local machine to turn off sslVerify .
git config --global http.sslVerify false
On the other hand , you could configure the git certificate.
Add Enterprise CA certificate to git config –global http.sslCAInfo.
Tell Git where to find the CA bundle by running:
git config --system http.sslCAPath / absolute / path / to / git / certificates
or copying the CA bundle to the /bin directory and adding the following to the gitconfig file:
sslCAinfo = /bin/curl-ca-bundle.crt
Restart the agent.
Try following the tutorial which mentioned in blog.
Here is a ticket about Unable to resolve “unable to get local issuer certificate” using git on Windows with self-signed certificate

Related

git clone from internal gitlab repository doesn't work unless I'm running as root

I'm trying to clone an internal gitlab repository, but it keeps giving me this error message
fatal: unable to access 'https://gitlab**************.git/': gnutls_handshake() failed: Error in the pull function.
But somehow, if I'm running as root, the cloning process would run perfectly.
The problem is, I needed this to work because I'm trying to use this repository on Jenkins.
Can someone help me or explain why it only worked if I'm running as root?
root uses the same version of git and curl.
But it does not use the same:
global git config: compare the output of git config --global -l in both instances (root and regular user account).
environment configuration (type env in both cases, and compare the environment variables)
In particular, look for sslcainfo (git config --global -l|grep -i ssl) which could reference the certificate needed to contact through TLS your on-premise HTTPS GitLab URL.

Gitlab : Peer's certificate issuer has been marked as not trusted by the user

I have a on-prem gitlab where I am trying to run some builds/pipeline but getting the below error -
fatal: unable to access 'https://gitlab-ci-token:[MASKED]#gitlab.systems/testing/test-project-poc.git/': Peer's certificate issuer has been marked as not trusted by the user.
I have already looked into this - Gitlab:Peer's Certificate issuer is not recognized and followed the steps of obtaining the .pem file by merging the server certificate, intermediate certificate and root certificate but I am still getting the below error and really struggling to find the root cause.
/etc/gitlab/gitlab.rb config
##! enable/disable 2-way SSL client authentication
#nginx['ssl_verify_client'] = "off"
##! if ssl_verify_client on, verification depth in the client certificates chain
#nginx['ssl_verify_depth'] = "1"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.systems.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.systems.key"
Is there any other configuration which i need to update/modify? Any guidance is really appreciated.
I am guessing you are using a self signed certificate. If that is the case you have two options to rectify this issue:
Recommended option: Here again I assume that you have already solved the issue between the gitlab-runner and gitlab itseld, hence you registered the runner successfully. So you have already the certificate file in a /etc/gitlab-runner/certs. So on the server hosting the gitlab-runner, run the below command:
git config --system http.sslCAInfo /etc/gitlab-runner/certs/CERITIFICATE_NAME.crt
This is unsafe: Here you just disable the git https certificate verification:
git config --system http.sslverify false

RSA host key for IP address 'XX.XX.XX.XX' not in list of known hosts

Im getting the error RSA host key of the git repository not in the list of known hosts. when i run my jenkins job with repository URL as my git clone URL.
I have tried cloning the same repository in the host on which i'm running the job . It clones without any issue.
My ssh key of the host is already added to the git repo.
hudson.plugins.git.GitException: Command "/usr/local/packages/git-2.9.2/bin/git fetch --tags --progress origin +refs/heads/master:refs/remotes/origin/master --prune" returned status code 128:
stdout:
stderr: FIPS integrity verification test failed.
RSA host key for IP address 'XX.XX.XX.XX' not in list of known hosts.
Permission denied (keyboard-interactive,publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Try logging in on the machine as the jenkins user, try to do it manually. You probably get a message saying that the fingerprint for that host is unknown and the question if you want to trust it. If you choose yes, the next build you'll trigger should work.

Gitlab:Peer's Certificate issuer is not recognized

I get this error on a fresh install of gitlab. The message looks like:
fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx#gitlab.example.com/something.git/': Peer's
Certificate issuer is not recognized.ERROR: Job
failed: exit status 1
Any suggestions on how to fix it?
Had faced the same problem after enabling verbose mode by following command
export GIT_CURL_VERBOSE=1 and found the following issue:
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Found this following site helpful,But its good when you have entire control for
the proxy server as well to enter the certificates.
http://dropbit.com/?p=168
I instead ran following command to bypass ssl verification by porxy server and it worked
git config --global http.sslVerify "false"
You need to configure /etc/gitlab/gitlab.rb.
Change this line
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"
to
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"
(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)
then restart gitlab and you're done:
$ gitlab-ctl reconfigure
Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.

Github - permission denied to old account

Problem faced:
I cannot git push to my repo, error message:
remote: Permission to fishercoder1534/Leetcode.git denied to MY_OLD_GITHUB_ACCOUNT
fatal: unable to access 'https://github.com/fishercoder1534/Leetcode.git/':
The requested URL returned error: 403`
Research I have done:
looking at this post, I have all these correctly pointing to my new github account:
git config --global user.name "NewAccountFirstname NewAccountLastname"
git config --global user.email "my_new_github_account_email#gmail.com"
I have deleted my old ssh keys, generated new ssh keys, placed them under ~/.ssh/, also add them into my new Github account.
I have created a ~/.ssh/config file with the following contents as suggested by the above post:
Host github.com
User git
IdentityFile ~/.ssh/id_rsa # wherever your "new" key lives
IdentitiesOnly yes
I have run $ssh -vT git#github.com which all shows my new Github account info. Hi fishercoder1534! You've successfully authenticated, but GitHub does not provide shell access.
I have run $ssh -i ~/.ssh/id_rsa -vT git#github.com, it's also showing my new Github info, with Hi fishercoder1534! You've successfully authenticated, but GitHub does not provide shell access.
What's next option to try/help?
An https url (https://github.com/fishercoder1534/Leetcode.git) means that every settings you have done for ssh doesn't matter.
And user.name/user.email have nothing to do with a Git repo server authentication.
Check if you have cached your https github.com credentials in a credential manager with git credential.helper:
git config credential.helper
That would explain why your old account keeps being used.
For osxkeychain, you can update your account
Or, of course, you can switch to an ssh url:
git remote set-url origin git#github.com:fishercoder1534/Leetcode.git

Resources