26

I have just setup an Ubuntu 18.04 LTS Server with Gitlab following the instructions from https://about.gitlab.com/install/#ubuntu.

I have issued a ssl certificate from GoDaddy and confirmed this works with the Gitlab server.

I have then updated gitlab.rb: gitlab_rails[‘lfs_enabled’] = true

I have installed GIT LFS Client from https://git-lfs.github.com/.

I have then tried to find a solution online on why I do not get LFS to work. I always get

x509: certificate signed by unknown authority

Other settings done in gitlab.rb:

gitlab_workhorse[‘env’] = {
‘SSL_CERT_DIR’ => ‘/opt/gitlab/embedded/ssl/certs/’
}
nginx[‘redirect_http_to_https’] = true

I am not an expert on Linux/Unix/git - but have used Unix/Linux for some 30+ years and git for a number of years - not just setup git with LFS myself before.

isapir
  • 21,295
  • 13
  • 115
  • 116
EON CTO
  • 261
  • 1
  • 3
  • 4

3 Answers3

20

I just had that same issue while running git clone ... to download source code from a private Git repository in BitBucket into a Docker image. I solved it by disabling the SSL check like so:

GIT_SSL_NO_VERIFY=1 git clone ...

Notice that there is no && between the Environment arg and the git clone command.

You can also set that option using git config:

git config http.sslverify false

For my use case in building a Docker image it is easier to set the Env var.

isapir
  • 21,295
  • 13
  • 115
  • 116
17

The problem is that Git LFS finds certificates differently than the rest of Git.

It might need some help to find the correct certificate.

I and my users solved this by pointing http.sslCAInfo to the location of the users private key they use for gitlab.

git config http.sslCAInfo ~/.ssh/id_ed25519 where id_ed25519 is the users private key for the problematic repo so change as appropriate.

FLWE
  • 214
  • 2
  • 5
  • 2
    This one solves the problem. I can only tell it's funny - added yesterday, helping today. Looks like a charm! – Dmitry Sep 07 '22 at 15:52
  • 4
    How does this actually work? Clearly the SSH identity isn't the same as a CA certificate (neither the file format nor otherwise). So how does telling `git` to use that file for `http.sslCAInfo` fix anything? I am mostly interested in it from the technical perspective ... – 0xC0000022L Mar 10 '23 at 12:02
  • My guess is that it effectively disables SSL verification entirely, due to improper error handling. Seems like a bug, not a feature. I am just guessing, but it sure seems like a nonsense solution. But we have multiple attestations that it works. – Bob Kerns Jun 20 '23 at 16:57
  • 1
    It doesn't disable ssl verification, it won't work with invalid keys. Git LFS is written in GO and uses their crypto package for finding certs and whatnot. It's extended to also include some of gits locations, if they are configured. By default the locations git and git LFS look at don't match exactly. By setting http.sslCAInfo git LFS can find it. https://github.com/git-lfs/git-lfs/pull/1067#issue-139929726 That's my understanding at least. – FLWE Jun 24 '23 at 10:04
  • @0xC0000022L -- it does not work. Pointing sslCAInfo at the users ssh key fails. I and 2 other coleagues have tried and the operation still fails with the signed by unknown authority error. – Matt Warren Aug 10 '23 at 13:11
  • @MattWarren thought as much, thanks for the confirmation. – 0xC0000022L Aug 10 '23 at 20:51
  • @MattWarren Did you have the exact same problem as OP? This solution has worked for dozens I work with, caveat being they're all on windows machines and connecting to the same GitLab instance. – FLWE Aug 11 '23 at 23:21
0

On Ubuntu just update your System CA store

# move your cert into /usr/local/share/ca-certificates
sudo curl -s 'my-pki.de/my-cert.pem' --output /usr/local/share/ca-certificates/my-cert.crt

# update store
sudo update-ca-certificates
mr.wolle
  • 1,148
  • 2
  • 13
  • 21
  • That may not be enough, depending on your version of Ubuntu. For a similar problem with curl, I had to delete the DST Root CA X3 cert (which expired Sept 2021). Apparently the openssl library is/was stopping validation on encountering the expired cert rather than continuing the search until it found an unexpired trust root. – Bob Kerns Jun 20 '23 at 16:54