I have a local gitlab instance using self signed certificates.
I can connect my server from a web browser and https.
I can clone my reposit via ssh
I can clone my reposit via https BUT with: GIT_SSL_NO_VERIFY=1 git clone https://…
But I’m unable to simply clone via https git clone https://… this returns: Peer’s Certificate has expired.
I’ve found some information saying it could be related to gitlab-shell but I was unable to solve this.
I’m not very famillar with certificates so any help is welcome
Maybe adding this to .gitconfig file in your user directory:
[http]
sslVerify = false
will help since self-signed aren’t trusted certificates, but that should stop you needing to provide GIT_SSL_NO_VERIFY=1 before each clone command.
You can set it globally doing:
git config --global http.sslVerify "false"
if you do it without the global parameter, you would need to do it for each repository.
Obviously if you are using third-party repositories other than your own with git, this could be a potential security problem by ignoring certificates - in which case, set it without the global parameter for each of your repositories individually. But if you only use your own server and no other external git servers, it shouldn’t be a big issue.
If security is a problem, then I would suggest using a domain that you own, and then use either letsencrypt or purchase a commercial certificate to use with your Gitlab instance.
Hi iwalker,
thanks for your answer wich will help at the client level. But is there a way to configure my gitlab instance (server side) to avoid this client setup? Some of my users are not allowed to use ssh from their network but https.
Git works with the certificates at the client side, therefore if the client doesn’t trust the server because it’s using a self-signed certficiate, then there is nothing you can do from the server-side apart from what I said before - use letsencrypt with a domain that you have purchased and use this with gitlab, or purchase an SSL certificate for your Gitlab server + domain that you are using with it.
Alternatively, you are going to have to look at running your own internal CA and ensure all the client computers have the CA certificate installed on them so that it trusts all the certificates you generate. And use your internal CA to create a certificate for use with Gitlab. That way you won’t need to purchase a certificate or configure letsencrypt, but you still have to fix it on the client-side by importing the CA certificate - which is OK for example with Firefox, as you can import a CA - I do that myself. But you most likely will still have issues for CLI stuff, so console commands eg: git.
But that is nothing to do with Gitlab and the way it works, this is purely certificate-related. So there are some choices for you.
Many thanks iwalker for this clarification. I’m really not famillar with this concept. I’m going to move to a valid (not self signed) certificate for my gitlab server.
Patrick