0

I try to go get a repository from a private gitlab server, from a mac.

I set the git config (~/.gitconfig) to use ssh instead of https : 

[url "git@gitlab.mysite.com:"]
    insteadOf = https://gitlab.mysite.com/

When I clone the project using the https url, I get the correct replacement

$ git clone https://gitlab.mysite.com/group/project
$ cd project
$ git remote -v
origin  git@gitlab.mysite.com:group/project (fetch)
origin  git@gitlab.mysite.com:group/project (push)

However, when I use go get, it tries to use the https url, and fail

$ go get gitlab.mysite.com/group/project
package gitlab.mysite.com/group/project: unrecognized import path "gitlab.mysite.com/group/project" (https fetch: Get https://gitlab.mysite.com/group/project?go-get=1: x509: certificate signed by unknown authority)

Why is go get not using my git configuration ? How can I fix that ?

I know the problem is similar to this question : go get: Git settings ignored and many other question concerning private repos

my problem is different

BlueMagma
  • 2,392
  • 1
  • 22
  • 46

1 Answers1

4

That error occurs before the git clone call. When you call go get, it makes an HTTPS call out to the URL to check the headers and see if it provides a go get redirect. That's what's failing.

And it's failing because the certificate provided by the server isn't signed by a Certificate Authority that you have specified as trusted on your local system. This could be because your internal gitlab is using an unsigned certificate, because the CA used to sign it hasn't been added to your local system, or because your workplace is using a man-in-the-middle style proxy and you don't have that proxy's CA added. You can either attempt to fix the cert issue, or simply run:

go get -insecure gitlab.mysite.com/group/project

The -insecure flag permits fetching from repositories and resolving custom domains using insecure schemes such as HTTP. Use with caution.

Notably, this bypasses the validation of the CA used to sign the server's certificate.

Kaedys
  • 9,600
  • 1
  • 33
  • 40
  • Thank you for your answer, the insecure flag work but is not an option since the goal is to have go modules make the go get call – BlueMagma Sep 19 '18 at 14:04
  • Why is go get making a first call using https when it could do everything with ssh ? – BlueMagma Sep 19 '18 at 14:07
  • It can't make an SSH call to a URL to get the HTTP headers for that URL. `go get` doesn't know whether the URL you provided directly points at the repository, or if it's simply a vanity URL that then forwards to the actual repo via the `go-import` meta tag. So it hits the endpoint first using an HTTPS GET query and looks for the tag. If it's not present, it tries to clone from that URL. If it is, it tries to clone the URL present in that meta tag instead. The meta tag is queried for before `git` is even called. – Kaedys Sep 19 '18 at 14:24
  • And @BlueMagma you have two options then. `go get` calls still work using go modules, they just require the extra `go get` step instead of just using `go build` and letting it handle the dependency fetching. The other option is to figure out what's causing the cert issue. I listed the 3 most likely cases in my answer. Your company's IT support team would probably be able to tell you which is the case. – Kaedys Sep 19 '18 at 14:29