Yesterday we reconfigured Gitlab to serve over HTTPS, inluding configuring http->https redirection. We had to roll this back because the server is internal only and so cannot get a certificate from a generally trusted root authority, and instead we used our internal root CA and git does not by default use the windows cert store so users were getting cert errors when cloning etc. This is fine and not exactly unexpected, we will roll out changes to get people to use SChannel and then re-apply the HTTPS certs.
However, after changing external_url back to http:// we can no longer push over authenticated http. Cloning of anonymous projects over http works, but cloning of private ones prompts for credentials and then gives the following:
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'http://...
The same error occurs at least when pushing.
I’m not even sure how to diagnose what’s happening, production.log shows the following for a push attempt:
Started GET "/testuser/test.git/info/refs?service=git-upload-pack" for 10.224.0.3 at 2018-08-23 11:22:56 +0100
Processing by Projects::GitHttpController#info_refs as */*
Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"testuser", "project_id"=>"test.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 8ms (Views: 0.3ms | ActiveRecord: 2.8ms)
Our server (and this user) authenticate using LDAP, and login to the web UI works fine.
Any help in even where to look for what’s going wrong will be very much appreciated.