Question

我有一台运行gitlab的服务器。对此服务器的所有访问都必须通过apache https，客户端必须提供由CA签署的有效证书，该证书也颁发了服务器证书。

经过大量研究，我已经能够从浏览器访问gitlab界面。但是我无法克隆存储库。我似乎能够在apache级别提供正确的证书，但后来我得到了＃34; 401 Unauthorized＆＃34;。我想用ssh公钥/私钥对的git身份验证失败了。

在控制台或askpass GUI中多次输入证书密码后，我得到以下输出：

$ GIT_SSL_CERT=~/.ssh/cert.pem git clone https://host/gitlab/xxx/yyy.git
Cloning into 'yyy'...
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* The requested URL returned error: 401 Unauthorized
* Closing connection #0
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL re-using session ID
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Date: Tue, 18 Mar 2014 10:38:35 GMT
< Status: 401 Unauthorized
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
< WWW-Authenticate: Basic realm=""
< Cache-Control: no-cache
< X-Request-Id: 74f54f7b-b9b3-41c2-a55f-8e4c0f90b1e6
< X-Runtime: 0.003925
< Connection: close
< 
* Closing connection #0
* Issue another request to this URL: 'https://host.domain/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack'
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL re-using session ID
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'PASSWORDINCLEAR'
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic xxxxx
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Date: Tue, 18 Mar 2014 10:38:44 GMT
< Status: 401 Unauthorized
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm=""
< Cache-Control: no-cache
< X-Request-Id: 9fc67b79-180d-4b8a-8c42-95fd472a31a7
< X-Runtime: 0.005070
< Connection: close
* The requested URL returned error: 401
* Closing connection #0
fatal: Authentication failed

apache ssl.conf文件是：

# SSLRequireString is an environment variable defined like that: "%{SSL_CLIENT_S_DN_CN} =~ m/XXX/"

<VirtualHost _default_:443>
  SSLProxyEngine on

  ProxyPreserveHost On
  ProxyRequests Off
  ProxyPass /gitlab/ http://127.0.0.1:8080/
  ProxyPassReverse /gitlab/ http://127.0.0.1:8080/
  ProxyPass         /assets/ http://127.0.0.1:8080/gitlab/assets/
  ProxyPassReverse  /assets/ http://127.0.0.1:8080/gitlab/assets/

  ProxyPass /redmine/ http://127.0.0.1:80/redmine/
  ProxyPassReverse /redmine/ http://127.0.0.1:80/redmine/

  ProxyPass /buildbot/ http://127.0.0.1:8010/
  ProxyPassReverse /buildbot/ http://127.0.0.1:8010/

  ProxyPass /unit-tests/ http://127.0.0.1/unit-tests/
  ProxyPassReverse /unit-tests/ http://127.0.0.1/unit-tests/ 



  <Location /redmine/>
    ProxyPassReverse http://127.0.0.1:80/redmine/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /gitlab/>
    ProxyPassReverse http://127.0.0.1:8080/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /assets/>
    ProxyPassReverse http://127.0.0.1:8080/gitlab/assets/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /buildbot/>
    ProxyPassReverse http://127.0.0.1:8010/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /unit-tests/>
    ProxyPassReverse http://127.0.0.1/unit-tests/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule .*gitlab.* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
#  RewriteRule .*redmine.* http://127.0.0.1:80%{REQUEST_URI} [P,QSA]
  RequestHeader set X_FORWARDED_PROTO 'https'

ServerName host.domain:443

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/server.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCACertificateFile /etc/pki/tls/certs/server-bundle.pem
SSLVerifyClient require
SSLVerifyDepth  10
<Location />
SSLRequire (    ${SSLRequireString} )
</Location>

〜/ .ssh / config是：

Host * Compression yes ForwardX11 yes Ciphers arcfour,blowfish-cbc

Host host.domain
        Hostname host.domain
        User git
        IdentityFile ~/.ssh/id_rsa4

有几个步骤会导致某些事情失败，而且现在，我已经陷入困境。我不知道在哪里搜索。

更新通过发布

克隆是成功的

GIT_SSL_CERT=~/.ssh/cert.pem git clone https://host.domain/gitlab/xxx/xxx.git

然后输入pem密码短语一次，在打开的两个ssh-askpass对话框中输入gitlab用户名和密码，然后再次输入pem密码短语三次。

在这个过程中，我进入了日志：

/var/log/httpd/ssl_access_log-20140318
ww.xx.yy.zz - - [24/Mar/2014:16:08:15 +0100] "GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1" 401 -
ww.xx.yy.zz - - [24/Mar/2014:16:08:18 +0100] "GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1" 200 282
ww.xx.yy.zz - - [24/Mar/2014:16:08:21 +0100] "POST /gitlab/xxx/yyy.git/git-upload-pack HTTP/1.1" 200 18482648

/home/git/gitlab/log/production.log
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:07:59 +0100
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:15 +0100
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:18 +0100
Started POST "/gitlab/xxx/yyy.git/git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:21 +0100

所以克隆有点起作用但不太方便。我应该关闭这个问题并开一个新问题吗？

P.S。：服务器和客户端在GNU / Linux下（分别是Scientific Linux 6.5和Mageia 3）。 Gitlab版本包括：GitLab 6.5.1，GitLab Shell 1.8.0，GitLab API v3，Ruby 1.9.3p194，Rails 4.0.2。

Answer 1

您是否使用127.0.0.1:8080从服务器尝试本地克隆而不通过apache？？

另外，检查日志以了解401是来自gitlab还是apache。

无论如何，如果您是通过HTTP，请不要使用ssh密钥，因此ssh配置无关紧要。它似乎正在使用登录/密码，因为您可以在Server auth using Basic with user 'PASSWORDINCLEAR'行看到，但这应该是那里的用户，而不是密码，因此您的客户端配置可能存在问题。

Answer 2

我终于成功了，并为同事写了以下说明：

您可以事先使用以下配置进行克隆：

# This is the certificate in PEM format to authenticate. 
git config --global http.sslCert <path to your X.509 (pem) certificate>
# This is the same certificate as above, this time to make git accept a self-signed certificate
git config --global http.sslCAInfo <path to your X.509 (pem) certificate>
# This allows to input the certificate password only once
git config --global http.sslCertPasswordProtected 1

您可能还想避免设置类似的全局选项，因为它会对其他存储库产生不必要的副作用。然后，您必须通过命令行使用以下参数克隆本地选项：

git clone -c http.sslCAInfo=<path to your X.509 (pem) certificate> \
              -c http.sslCert=<path to your X.509 (pem) certificate> \
              -c http.sslCertPasswordProtected=1 \
     https://host.domain/path/to/repository.git

要发出git命令，要避免过多的交互式输入，请在URL中包含gitlab用户名：

git clone 'https://user@host.domain/path/to/repository.git'

使用此设置，您应该被问两次“SSH密码短语”：第一次输入您的证书密码，第二次输入您的gitlab密码。

Git克隆故障转移https whith gitlab背后的证书保护apache

2 个答案: