1

I have a gitlab installation on a server in the local network listening on some port p using a self signed SSL certificate for its IP (192.168.x.y).

When cloning a repository from the server I was okay with temporarily ignoring a SSL verification: git -c http.sslVerify=false clone https://192.168.x.y:p/path/to/repo.git

Now, when working with the origin (e.g. git pull origin) I don't want to ignore the SSL verification because of possible MitM attacks. That's why I included the cert in the local git config: git config http.sslCAInfo /etc/gitlab/ssal/192.168.x.y.crt

git pull origin now doesn't complain anymore that the certificate cannot be verified but instead issues that the subject name wouldn't match the host name: fatal: unable to access 'https://192.168.x.y:p/path/to/repo.git/': SSL: certificate subject name (192.168.x.y) does not match target host name '192.168.x.y'

However I checked multiple times, that they perfectly match. Is it not possible to use self signed certificates for local IPs in git?

René Martin
  • 518
  • 4
  • 16
  • I'm not positive about this, but I think the command-line Git relies on the installed ssl library's verification, so that would be where to look. – torek May 10 '19 at 17:49
  • What is the `subject` and the `subjectAlternativeName` of your certificate? – Daniel Fisher lennybacon May 12 '19 at 20:53
  • @DanielFisherlennybacon I'm not quite sure how to retrieve them. Following the instructions on https://www.digicert.com/subject-alternative-name.htm I saw that when changing in Chrome to the "Only extensions" dropdown option in details Tab, there were none entries at all. So I think I don't have any `subjectAlternativeName`. – René Martin May 13 '19 at 07:06
  • @RenéMartin Can you provide the certificate here by pasting it as base 64? Or are you on a Windows Box - then just double click the file (.cer/.crt) to open the certificate viewer of windows which can show the values. Another option is to navigat to the HTTP endpoint with a browser and let the browser show you the details (click on the lock symbol in the address bar). – Daniel Fisher lennybacon May 13 '19 at 09:47
  • A common error is a SAN containing the IP as IPAddress or URL, but should be placed inside a DNSName... – Daniel Fisher lennybacon May 13 '19 at 09:48
  • How did you generate the self signed certificate? This could also help to understand what's going on... – Daniel Fisher lennybacon May 13 '19 at 09:49
  • @DanielFisherlennybacon I'm sorry but I think I should not post the certificate here for data security reasons (as I do not fully understand which information is encoded within certificates). I followed the instructions at https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/43860138#43860138 to create a new certificate today. I put the IP (192.168.x.y) as CN and DNS.1 for alt_names. So my certificate now also has the IP as SAN (Chrome now says: DNS-Name=192.168.x.y). However the questioned problem still persists. – René Martin May 13 '19 at 10:07
  • @RenéMartin Hmmm... That looks accurate. What else could you do? Have you tried to use a hostname (real DNS or patching your hosts file) and using that in the Subject/SAN of the certificate? – Daniel Fisher lennybacon May 16 '19 at 06:34
  • @DanielFisherlennybacon I did not do that yet. But since I cannot setup any DNS to link a domain name to a local network (which I hopefully can't, right?) I think this approad would also be difficult. I think I'd have to setup custom .hosts files on the accessing systems. I was able to circumvent my original problem with git after setting up asynchonous keys for my users to connect with git over ssl. However I think there might be a bug within curl itself. – René Martin May 16 '19 at 08:41
  • @RenéMartin Let us know if you keep up with hunting the issue with the hosts file. – Daniel Fisher lennybacon May 17 '19 at 06:47

0 Answers0