Comments (14)
hm… it looks like you're using a self-signed certificate (which by essence is invalid). Then the HTTP library I'm using to connect to gitlab is failing.
The good solution is to use a well signed certificate (letsencrypt is 👍) or have your own certificate "authority"'s public key installed locally (not sure how to do that) if the server is not public…
And I can see how hard it'd be to add an --insecure
option (either in the conf or on commandline) to accept invalid certificates.
from git-repo.
The fqdn I gave in the issue is dummy. It's a coincidence it matches a real gitlab host.
We use ssh and not http for remote operations.
from git-repo.
I checked the certificate and it is issued by a CA that is not in my host's CA list. It's not a self signed certificate, but the net effect is the same.
If git-repo uses https instead of ssh, it can't work for me.
from git-repo.
I checked the certificate and it is issued by a CA that is not in my host's CA list. It's not a self signed certificate, but the net effect is the same.
ok, here's why ☺
If git-repo uses https instead of ssh, it can't work for me.
I believe you're not understanding what git-repo is about. it's not there to _replace_ git, but to complement it. So git-repo support git operations in both ssh and https, even though it enforces SSH for all read/write repositories.
But what git-repo really is for, is to replace a bunch operations you'd be doing using your browser to work with github or gitlab, like creating/deleting a repository, listing and handling Pull/Merge Requests, handling gists/snippets…
And all those operations are, by design of github, gitlab, bitbucket and others, only done through the API, for which you need an API key and for which you need to use an HTTPS connection to the server.
from git-repo.
And I can see how hard it'd be to add an --insecure option (either in the conf or on commandline) to accept invalid certificates.
Does this already exist? Because I have the same problem here. We have an internal GitLab instance and the certificate is signed by an internal CA.
I have added the CA to /usr/local/share/ca-certificates
and chromium and Firefox are able to verify the certificate. Also if I test this with the requests
package it seems to work:
In [4]: import requests
In [5]: requests.get('https://mygitlab.example')
Out[5]: <Response [200]>
But git-repo fails:
$ git lab gist ls
Fatal error: Can't connect to GitLab server ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645))
from git-repo.
can you run: git lab -vvvv ls
?
from git-repo.
I assume you meant git lab -vvvv gist ls
:
% git lab -vvvv gist ls :(
Fatal error: Can't connect to GitLab server ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645))
------------------------------------
Traceback (most recent call last):
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn
conn.connect()
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/rnestler/.local/lib/python3.5/site-packages/gitlab/__init__.py", line 448, in get
verify=self.ssl_verify, timeout=self.timeout)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/home/rnestler/.local/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/rnestler/.local/lib/python3.5/site-packages/git_repo/repo.py", line 522, in main
return GitRepoRunner(args).run()
File "/home/rnestler/.local/lib/python3.5/site-packages/git_repo/kwargparse.py", line 68, in run
return self._action_dict[frozenset(args)](self)
File "/home/rnestler/.local/lib/python3.5/site-packages/git_repo/repo.py", line 422, in do_gist_list
service = self.get_service(lookup_repository=False)
File "/home/rnestler/.local/lib/python3.5/site-packages/git_repo/repo.py", line 186, in get_service
service.connect()
File "/home/rnestler/.local/lib/python3.5/site-packages/git_repo/services/ext/gitlab.py", line 25, in connect
self.gl.token_auth()
File "/home/rnestler/.local/lib/python3.5/site-packages/gitlab/__init__.py", line 210, in token_auth
self.user = CurrentUser(self)
File "/home/rnestler/.local/lib/python3.5/site-packages/gitlab/objects.py", line 381, in __init__
data = self.gitlab.get(self.__class__, data, **kwargs)
File "/home/rnestler/.local/lib/python3.5/site-packages/gitlab/__init__.py", line 451, in get
"Can't connect to GitLab server (%s)" % e)
gitlab.exceptions.GitlabConnectionError: Can't connect to GitLab server ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645))
from git-repo.
ok, that's definitely it.
so there are two issues at hand:
- how to support your local certificates? (why gitlab's requests instance does not work when the default requests instance does?)
- add support for self-signed/non-valid aka "insecure" certificates.
For ① we might want to look at certificate tool
certifi which handles that at a system level. But it looks like support for custom certificates is still a work in progress.
Though we can also use a custom cert file as a configuration parameter.
As a workaround, you can try giving the full path to your CA bundle in the environment variable: REQUESTS_CA_BUNDLE
(just discovered that ☺).
For ②, it's way easier, just need to give insecure=True
as parameter to the requests session. Next time I'll dig in the code, I'll write a patch to add a command line and service-scope configuration option for that.
from git-repo.
As a workaround, you can try giving the full path to your CA bundle in the environment variable: REQUESTS_CA_BUNDLE (just discovered that ☺).
Will try that :)
For ②, it's way easier, just need to give insecure=True as parameter to the requests session. Next time I'll dig in the code, I'll write a patch to add a command line and service-scope configuration option for that.
@guyzmo If you could give me some mentoring (hints were to look in the code, take a early look at my implementation, ...) I'd like to give this a try.
from git-repo.
ok, it's a fairly simple and easy changeset to do, what needs to be changed is the following:
def __init__(…):
…
self._alias = c.get('alias', self.name)
self.fqdn = c.get('fqdn', self.fqdn)
self.insecure = c.get('insecure', False)
def __init__(…):
super().__init__(*args, **kwarg)
self.gl = gitlab.Gitlab(self,url_ro, ssl_verify=not self.insecure)
the catch is the reversing of the two lines in the gitlab.__init__()
, because if I did it that way, it might be for a good reason (which I forgot ☺). If tests fail, then, you'd need to do:
def __init__(…):
self.gl = gitlab.Gitlab(self,url_ro)
super().__init__(*args, **kwarg)
self.gl.ssl_verify = not self.insecure
(note also the switch to super()
, I kept the bad habit of the verbose writing of supers from py2, it's good time to switch away from it ☺)
Now the real trick is that I'm not sure how to implement a test for that. As I'm not using a custom instance of gitlab to run the tests against it…
from git-repo.
@rnestler did the REQUESTS_CA_BUNDLE
trick work? Are you still thinking on working on a PR, and if so did my tips help you?
from git-repo.
did the REQUESTS_CA_BUNDLE trick work?
The trick seemed to work, but I get another error then:
% REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/ca.crt git lab -vvvv gist ls
/home/rnestler/.virtualenvs/git-repo/lib/python3.5/site-packages/requests/packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for mygitlab.example has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
send: b'GET /api/v3/user HTTP/1.1\r\nHost: mygitlab.example\r\nConnection: keep-alive\r\nUser-Agent: python-requests/2.12.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nPRIVATE-TOKEN: w4yYVExntN2BEXEPiz7b\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
id title
Fatal error:
------------------------------------
Traceback (most recent call last):
File "/home/rnestler/.virtualenvs/git-repo/lib/python3.5/site-packages/git_repo/repo.py", line 522, in main
return GitRepoRunner(args).run()
File "/home/rnestler/.virtualenvs/git-repo/lib/python3.5/site-packages/git_repo/kwargparse.py", line 68, in run
return self._action_dict[frozenset(args)](self)
File "/home/rnestler/.virtualenvs/git-repo/lib/python3.5/site-packages/git_repo/repo.py", line 429, in do_gist_list
for gist in service.gist_list():
File "/home/rnestler/.virtualenvs/git-repo/lib/python3.5/site-packages/git_repo/services/service.py", line 367, in gist_list
raise NotImplementedError
NotImplementedError
header: Server header: Date header: Content-Type header: Content-Length header: Connection header: Cache-Control header: Etag header: Vary header: X-Request-Id header: X-Runtime
from git-repo.
Are you still thinking on working on a PR, and if so did my tips help you?
I did only take a short look into it and your tips helped on were to look.
I'll try to take another look at it this weekend.
from git-repo.
well, it's a a feature, not a bug ©®™
I'm currently working on implementing snippets for gitlab, but it's a long run… Because there's still no API for the snippets, I'm working on a patch for gitlab, which then will have to be merged, and a patch will have to be built for python-gitlab (the lib I'm using), before having it land in #12
from git-repo.
Related Issues (20)
- No manual entry for git-repo HOT 3
- git-repo cmd --help should show only options for that cmd HOT 2
- Suggest adding SSH key when none is present HOT 2
- Fatal error: 'GitRepoRunner' object has no attribute 'target' HOT 2
- Setup for BitBucket? HOT 5
- Bug: configure gitlab produces Fatal error HOT 5
- Getting error when installing from git repo HOT 3
- Naming HOT 1
- Bitbutcket request ls shows more than just open PRs HOT 5
- setup.py not compatible with pip 10+
- Can't create repo on gitlab HOT 1
- Fatal error: list index out of range for Python 3.6 HOT 3
- Switch bitbucket API lib to new official one
- Fix simple typo: pagckage -> package
- fatal: manifest 'default.xml' not availabl HOT 1
- Add full gitea support HOT 1
- github: Support for python 3.10 (dependency update required)
- Build Failure
- with the help of Java application Build
- TestNG
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from git-repo.