git not fully working with self-signed cert

Question

I use self-signed certificate to crypt.
after some work, the https is working for git, but the git@xxxxx way does not work. here's the output:

Cloning into 'test'...
/usr/lib/ruby/1.9.1/net/http.rb:762:in `initialize': Connection refused - connect(2 (Errno::ECONNREFUSED)
    from /usr/lib/ruby/1.9.1/net/http.rb:762:in `open'
    from /usr/lib/ruby/1.9.1/net/http.rb:762:in `block in connect'
    from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
    from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /usr/lib/ruby/1.9.1/net/http.rb:762:in `connect'
    from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
    from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:56:in `get'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:17:in `allowed?'
    from /home/git/gitlab-shell/lib/gitlab_shell.rb:51:in `validate_access'
    from /home/git/gitlab-shell/lib/gitlab_shell.rb:21:in `exec'
    from /home/git/gitlab-shell/bin/gitlab-shell:16:in `<main>'
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

both ssh and http works fine before I start the self-signed cert thing, so now the ssh+ssl not working. I'm using nginx, gitlab 5.3, followed the install instruction on gitlab website.

I did a check, too.

~> sudo -u git -H /home/git/gitlab-shell/bin/check
Check GitLab API access: FAILED. code: 301

Check directories and files: 
    /home/git/repositories: OK
    /home/git/.ssh/authorized_keys: OK

I think the 301 might be this part in my nginx config:

server {
     listen         80;
     server_name    gitlab.MYDOMAIN.com;
     rewrite        ^ https://$server_name$request_uri? permanent;
}

don't know if it's related or something thanks.

Answer 1

ssh+ssl ?

But the two aren't related from the client's side perspective (unless you want to do some kind of ssh tunneling through NGiNX)

An ssh connection would talk to the ssh daemon (which doesn't need any certificate) and would require that the correct ssh public key has been registered to the server account ~/.ssh/authorized_keys (done by GitLab when a user register said public key in his/her profile page).

The gitlab-shell/bin/check error is another issue, again not related with ssh issue.
It is gitlab-shell which tries to contact locally gitlab through an https API.
Solve that locally, and any connection (https or ssh) from the client will succeed.

In particular, check issues 3892, and see if you need to add a CA to the .crt file served by NGiNX.

LJ Vankuiken adds in the comments:

the self-signed flag needs to be set to "true" if the certificate chain presented by your gitlab server cannot be completely verified by the gitlab-shell.
I was able to set the self-signed flag to "false" by adding the signing authority's certificate to the system certificate store.

Answer 2

The issue you're having is when you enabled ssl you also redirected http to https.

Accessing the old http:// url works on most clients, but gitlab-shell (used as part of the login process on the gitlab server) will not follow 3xx redirects and instead return an error, thus disabling ssh-based access.

The fix is to edit /home/git/gitlab-shell/config.yml and replace the http:// in gitlab_url: with https://.

If you're using self-signed certificates, you may also have to set self_signed_cert: true under http_settings:

Answer 3

For what it's worth in case anyone gets similar, I am running Gitlab on port 8080 and because gitlab_url in gitlab-shell/config.yml was NOT pointing to port 8080 it was failing with a redirect error (which my server running on 80 was kicking up).

So to summarize, if you access gitlab via http://gitlab.mydomain.com:8080/ make sure gitlab_url points to http://gitlab.mydomain.com:8080/ as well!

Answer 4

for gitlab 6.0 this fixed the error for me: if using self signed certificates make sure that in gitlab-shell/config.yml your gitlab_url is https://... rather than http://... and that you specify self_signed_cert: true