Reputation: 41
GitLab SSL handshake error when performing a Git Pull/Clone Using TortoiseGit and Ansible
Hoping for some pointers on an issue I am running into with a brand new installation of GitLab running on RHEL 7. I configured GitLab to use SSL, and browsing to our server in a web browser using https://servername.domainname works perfectly fine, however doing any kind of Git Clone or Pull over https fails with an SSL error.
When doing a Git Clone using TortoiseGit on Windows (latest release), I get the error "error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure", and when using Ansible Tower, I get "Peer's Certificate issuer is not recognized."
I've tried editing GitLab's gitlab.rb file to allow various SSL ciphers and versions, but nothing seemed to have worked (plus, I'd rather not allow weak ciphers or vulnerable SSL versions).
The SSL cert used for GitLab is a GoDaddy cert, not self-signed.
My gitlab.rb Nginx config contents are (sorry, I know it's long):
################
# GitLab Nginx #
################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/doc/settings/nginx.md
nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
ci_nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.cer" # Most root CA's are included by default
nginx['ssl_certificate'] = "/etc/gitlab/ssl/sslcert.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/sslcert.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
# nginx['listen_addresses'] = ['*']
# nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# nginx['proxy_read_timeout'] = 300
# nginx['proxy_connect_timeout'] = 300
# nginx['proxy_set_headers'] = {
# "Host" => "$http_host",
# "X-Real-IP" => "$remote_addr",
# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
# "X-Forwarded-Proto" => "https",
# "X-Forwarded-Ssl" => "on"
# }
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
# nginx['proxy_cache'] = 'gitlab'
# nginx['http2_enabled'] = true
## Advanced settings
# nginx['dir'] = "/var/opt/gitlab/nginx"
nginx['log_directory'] = "/var/log/gitlab/nginx"
# nginx['worker_processes'] = 4
# nginx['worker_connections'] = 10240
# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
# nginx['sendfile'] = 'on'
# nginx['tcp_nopush'] = 'on'
# nginx['tcp_nodelay'] = 'on'
# nginx['gzip'] = "on"
# nginx['gzip_http_version'] = "1.0"
# nginx['gzip_comp_level'] = "2"
# nginx['gzip_proxied'] = "any"
# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
# nginx['keepalive_timeout'] = 65
# nginx['cache_max_size'] = '5000m'
Outside of those settings, my gitlab.rb file is pretty much default (LDAP is configured).
Running curl from my Ansible server (RHEL 7, latest curl release):
curl -v https://gitlabserver.domain.com
* About to connect() to gitlabserver.domain.com port 443 (#0)
* Trying ip address...
* Connected to gitlabserver.domain.com (ipaddress) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
Are there any other tests that I might be able run to help diagnose the https issues for the Git Clone process?
Upvotes: 4
Views: 2938
Answers (1)
Reputation: 21
Better late then never: I ran into the same issue and solved it by concatenating the intermediate certificate from my CA and my .crt into a combined .crt that's then used by nginx.
More info here: https://www.digicert.com/ssl-certificate-installation-nginx.htm
Upvotes: 2
Related Questions
- Git: How to solve Permission denied (publickey) error when using Git?
- Git and nasty "error: cannot lock existing info/refs fatal"
- What is the difference between 'git pull' and 'git fetch'?
- What's the difference between git clone --mirror and git clone --bare
- Set up git to pull and push all branches
- How to resolve "Error: bad index – Fatal: index file corrupt" when using Git
- When should I use git pull --rebase?
- How do I provide a username and password when running "git clone [email protected]"?
- How do I ignore an error on 'git pull' about my local changes would be overwritten by merge?
- Merge, update, and pull Git branches without using checkouts