Git over HTTP failing auth after rollback of HTTPS upgrade

Yesterday we reconfigured Gitlab to serve over HTTPS, inluding configuring http->https redirection. We had to roll this back because the server is internal only and so cannot get a certificate from a generally trusted root authority, and instead we used our internal root CA and git does not by default use the windows cert store so users were getting cert errors when cloning etc. This is fine and not exactly unexpected, we will roll out changes to get people to use SChannel and then re-apply the HTTPS certs.

However, after changing external_url back to http:// we can no longer push over authenticated http. Cloning of anonymous projects over http works, but cloning of private ones prompts for credentials and then gives the following:

remote: HTTP Basic: Access denied
fatal: Authentication failed for 'http://...

The same error occurs at least when pushing.

I’m not even sure how to diagnose what’s happening, production.log shows the following for a push attempt:

Started GET "/testuser/test.git/info/refs?service=git-upload-pack" for at 2018-08-23 11:22:56 +0100
Processing by Projects::GitHttpController#info_refs as */*
  Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"testuser", "project_id"=>"test.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 8ms (Views: 0.3ms | ActiveRecord: 2.8ms)

Our server (and this user) authenticate using LDAP, and login to the web UI works fine.

Any help in even where to look for what’s going wrong will be very much appreciated.

This may be actually caused by the same as GitLab CE 11.2.0 (6a123f6) - remote: HTTP Basic: Access denied and nothing to do with the HTTPS upgrade.

Updating to 11.2.1 has fixed this issue, looks like the HTTPS downgrade was a complete coincidence. Many thanks to the developers for fixing this!