SKIP_TLS_VERIFY not working for self-signed mirror

[levindecaro]

Gitea Version

1.16.3

Git Version

2.27.0

Operating System

Rocky Linux 8.5

How are you running Gitea?

Locally installed with systemd services.

Database

MySQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

Cannot bypass self-signed cert validation for mirroring configuration, unless we import the target self-signed CA certificate into system path /etc/pki/ca-trust/source/anchors/my-ca.crt to make it work.

Not working

[migrations]
SKIP_TLS_VERIFY = true

2022/03/04 10:08:43 ...ces/mirror/mirror.go:40:doMirrorSync() [I] [SQL] UPDATE `push_mirror` SET `repo_id` = ?, `remote_name` = ?, `interval` = ?, `last_update` = ?, `last_error` = ? WHERE `id`=? [400 remote_mirror_vL2BA04IvF 4h0m0s 1646388523 fatal: unable to access 'https://git.masked-dev.local/user1/common-library/': SSL certificate problem: self signed certificate in certificate chain
         3] - 9.847194ms

Screenshots

No response

[ihipop]

Version: 1.16.4 built with GNU Make 4.1, go1.17.8 : bindata, sqlite, sqlite_unlock_notify
same issue,but another error:

Migrate repository from https://****.org/********** failed: Clone: exit status 128 - fatal: unable to access 'https://****.org/**********': SSL certificate problem: certificate has expired

and SKIP_TLS_VERIFY doesn't work

openssl s_client -showcerts -servername **** -connect ****:443 |openssl x509 -inform pem -noout -text
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:bd:61:4f:07:b8:2f:d7:da:a6:0c:82:42:ab:cb:33:98:90
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Mar  8 04:56:12 2022 GMT
            Not After : Jun  6 04:56:11 2022 GMT
        Subject: CN=****.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:bb:65:d5:00:51:a7:24:11:00:31:ca:49:3d:
                    0c:16:b1:34:70:b4:10:91:76:c5:a6:09:fb:2e:25:
                    ba:46:68:c0:8a:f6:b5:c3:82:52:8a:24:f6:dd:cb:
                    db:04:23:6b:2e:27:e9:0c:74:43:b3:16:12:c6:f9:
                    64:bd:aa:c5:36:f1:05:79:21:55:32:9d:a1:90:6d:
                    86:87:7e:b5:1b:7f:80:ab:9a:6a:4c:b6:b4:6f:9c:
                    9e:de:01:80:a3:cb:94:15:6b:11:4a:01:62:73:f8:
                    f2:5a:17:79:e2:9d:6c:11:59:2b:6d:98:01:3d:b1:
                    c4:17:4e:66:fe:a1:d2:8c:71:0c:90:91:39:63:df:
                    46:22:9d:de:99:d0:c1:a4:61:f5:10:e6:31:60:cf:
                    87:45:e3:2b:81:73:ed:79:f3:f4:b2:96:7c:4a:a7:
                    30:d0:b7:2b:a0:e7:e6:0e:dd:a4:2f:c0:d8:56:85:
                    36:36:60:52:e7:73:f0:f8:2d:15:42:e6:d0:a5:ab:
                    20:41:e8:f1:15:ca:9f:b7:a3:95:38:8b:cf:49:2e:
                    56:e3:f5:68:e1:a9:34:ed:01:93:45:de:8f:e2:03:
                    a1:a6:90:fb:eb:08:d9:85:b4:f8:53:23:30:e2:5a:
                    09:de:65:10:22:70:87:aa:79:d0:56:43:f9:ff:93:
                    3a:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                BF:51:5A:FE:B3:5C:B4:9E:B5:A6:30:C2:58:89:0E:81:AA:EC:1B:72
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:****.org, DNS:www.****.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : Mar  8 05:56:12.708 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:B0:B1:9D:2F:43:10:6C:D4:B1:DE:34:
                                B1:FD:7F:55:78:78:65:BC:B3:D8:B5:10:F4:E2:05:74:
                                DE:62:C0:AD:58:02:20:09:32:9F:39:06:70:C8:94:FC:
                                7B:53:44:B9:60:63:95:95:FE:F1:95:60:E1:7A:54:65:
                                8A:BE:45:C7:1B:B6:3E
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : Mar  8 05:56:12.744 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:82:35:C0:F1:22:DD:5A:F9:48:6B:DA:
                                BE:7C:D1:28:66:2D:F0:68:24:16:40:20:92:E1:BF:14:
                                78:67:6C:39:E8:02:21:00:96:57:D4:7A:2B:58:AC:3E:
                                54:3A:81:89:42:65:F1:B2:B9:BC:63:2B:F1:B0:15:B4:
                                8E:2B:AE:B1:8F:C5:F0:DC
    Signature Algorithm: sha256WithRSAEncryption
         69:99:2e:82:22:95:08:43:5e:ec:b4:7d:9e:3e:b9:67:18:e1:
         aa:9c:45:7f:4d:99:7b:aa:ca:a5:7b:c1:ef:93:a6:d7:af:80:
         eb:10:8b:f1:32:6a:89:ed:d7:21:5c:f2:e0:c4:47:3b:1c:aa:
         1b:88:c2:d2:ee:62:12:a4:77:6b:7b:8d:46:6a:37:ce:de:f2:
         2d:cb:37:54:93:a0:c5:11:2d:28:1d:6a:56:da:5e:52:15:6e:
         30:91:16:f7:1b:da:51:33:f9:68:23:10:4a:c3:15:04:81:18:
         77:1c:d4:db:62:54:f6:c9:5a:06:a0:c2:75:dc:cb:7b:8b:03:
         55:70:0d:52:50:43:d4:80:43:70:66:65:6c:d2:f1:45:bf:3d:
         22:43:e0:f4:1d:52:2d:10:30:f8:a7:9c:88:e6:89:1a:b0:8b:
         d3:be:b0:e1:fc:43:1d:ca:f4:96:56:f3:11:d8:9b:ed:ab:f6:
         23:b7:f1:b2:c5:64:ee:7a:86:f9:3c:34:3a:10:94:16:c5:81:
         8d:86:4b:59:b3:9c:ad:22:4b:c5:d6:65:74:b7:45:0c:8e:ef:
         f2:fe:2a:69:b0:c0:02:fc:e2:98:1f:d9:b2:a2:36:43:71:16:
         d6:99:88:1e:9b:65:3a:f6:86:c7:37:23:46:3c:3b:1e:e9:df:
         c7:7c:38:d0

[techknowlogick]

FWIW that setting is for interacting with the API and doesn't override git operations.

[ihipop]

FWIW that setting is for interacting with the API and doesn't override git operations.

I have the http.sslverify by global, still not working with the certificate has expired error when mirror use gitea 1.16.4

git config --global -l
user.name=Gitea
[email protected]
core.quotepath=false
core.commitgraph=true
gc.writecommitgraph=true
http.sslverify=false

@techknowlogick @zeripath

I can clone with bare git command

[zeripath]

[zeripath]

Have you tried the PR?

[ihipop]

Have you tried the PR?

I'm using gitea 1.16.4

FWIW that setting is for interacting with the API and doesn't override git operations.

I have the http.sslverify by global, still not working with the certificate has expired error when mirror use gitea 1.16.4

I will have a try and give my feedback later

I was just wonder that http.sslverify by git global is not working

[ihipop]

Have you tried the PR?

I can‘t build the main branch with an error

936 verbose stack TypeError: Cannot read properties of null (reading 'pickAlgorithm')
936 verbose stack     at Integrity.match (/home/***/.local/n/lib/node_modules/npm/node_modules/ssri/index.js:234:24)
936 verbose stack     at CachePolicy.satisfies (/home/***/.local/n/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/policy.js:113:49)
936 verbose stack     at Function.find (/home/***/.local/n/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/entry.js:172:25)
936 verbose stack     at async cacheFetch (/home/***/.local/n/lib/node_modules/npm/node_modules/make-fetch-happen/lib/cache/index.js:8:17)
936 verbose stack     at async fetch (/home/***/.local/n/lib/node_modules/npm/node_modules/make-fetch-happen/lib/fetch.js:82:7)

I will try it when 1.16.5 released, if you didn't hear me later, it should be working

[wxiaoguang]

You can always get the next 1.16.x (unreleased) Gitea in https://dl.gitea.io/gitea/1.16

[ihipop]

You can always get the next 1.16.x (unreleased) Gitea in https://dl.gitea.io/gitea/1.16

@wxiaoguang

there is no https error with version 1.16.4+12-g08feb6b66, but,the mirror task seems won't start

I wait about 30 minutes , task api still return the task is not started

bare git command will finish the clone in 2 minutes

---

it's also so wired that http.sslverify by git global is not working