Guide for configuring HTTPS on Ubuntu 14.04? Can't push or clone with https

Similar problems to this guy, who got no help and no suggestions in 5 months, which is troubling to me:

We have SSH clone and push working, but not HTTPS.

With Git 2.7.x on Windows clients:

X:\Temp\gitlab\project>git clone https://test-gitlab.ramsoft.biz/wpostma/personal1.git
Cloning into ‘personal1’…
fatal: unable to access ‘https://test-gitlab.ramsoft.biz/wpostma/personal1.git/’: SSL certificate problem: unable to get local issuer certificate

Watching the server logs with gitlab-ctl tail, we see this in the server Log:

> /var/log/gitlab/nginx/gitlab_error.log <
2016/04/26 13:21:25 [crit] 47733#0: *31 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 192.168.215.50, server: 0.0.0.0:443

Advanced degrees in Googling Error messages suggests from a stackoverflow post that the above is an OpenSSL bug, but not sure.

Workaround we know about is to type set GIT_SSL_NO_VERIFY=true before we do the git clone, but this is bad as it disables ALL SSL verifications.

Found some references to having to manually set up a chain of certificates for nginx to work:
https://github.com/gitlabhq/gitlabhq/issues/4272

Use an SSL Checker to verify your SSL Certificate is installed properly http://www.digicert.com/help/

If you are using a paid SSL (not self-signed) you are likely missing Intermediate certificates, which are required to fully validate an SSL certificate.

Unlike Apache, you cannot specify a Chain/Intermediate separately. With NGINX you need to create your own chain by concatenating your certificates.

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Read the full details under “SSL certificate chains” here:
http://nginx.org/en/docs/http/configuring_https_servers.html

Warren

Ok I found that various people have various solutions:

  1. Some people claim that special nginx configuration steps are required including chaining by concatenating certificates. We already had our certificate configured and I believe that everything was fine though.

  2. Some people are just turning off SSL verification and that appears to be bad.

  3. Some people are modifying their ca-bundle.crt file and this appears to be a working solution for me.

The solution is in two pieces for me:

  1. On each git workstation, on your .gitconfig create a per-server different ca-bundle.crt, like this:

[http “https://gitlab.yourcompany.biz”]
sslCAInfo = “/path/to/custom/ca-bundle.crt”

  1. Repair the ca-bundle.crt to add the missing signing CAs. I have attached our repair which added a missing CA that we needed:

https://gist.github.com/wpostma/3e69a8d7fb2051dddfa7d37f99f026dc (ca-bundle.crt example)

1 Like