Date: Wed, 3 Aug 2022 17:56:15 +0200 From: FreeBSD User <freebsd@walstatt-de.de> To: Zachary Crownover <zachary.crownover@gmail.com> Cc: Michael Gmelin <grembo@freebsd.org>, FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: poudriere overlay: passing down git ENV variables (problem: self signed certificates) Message-ID: <20220803175642.7d110ca1@thor.intern.walstatt.dynvpn.de> In-Reply-To: <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com> References: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de> <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Wed, 3 Aug 2022 07:50:35 -0700 Zachary Crownover <zachary.crownover@gmail.com> schrieb: > Choosing to not verify a certificate defeats the entire point of using th= e certificate and > you may as well not use it at all. The better thing to do is trust it. Ra= ther than try to > take credit for someone else=E2=80=99s work in compiling a walk through, = I=E2=80=99ll simply link a blog > post that will give an example for git. >=20 > https://jhooq.com/2-ways-to-fix-ssl-certificate-problem-self-signed-certi= ficate-in-certificate-chain/#git-clone >=20 > > On Aug 3, 2022, at 07:29, FreeBSD User <freebsd@walstatt-de.de> wrote: > >=20 > > =EF=BB=BFAm Wed, 3 Aug 2022 14:27:04 +0200 > > Michael Gmelin <grembo@freebsd.org> schrieb: > > =20 > >>> On Wed, 3 Aug 2022 12:38:26 +0200 > >>> FreeBSD User <freebsd@walstatt-de.de> wrote: > >>>=20 > >>> Hello, > >>>=20 > >>> I try to acconplish tasks in maintaining ports via poudriere-devel's > >>> OVERLAY option. First of all: > >>>=20 > >>> it is a pain in the a... not having ANY suitable hint how to perform > >>> this, a single line like that I found after a couple of hours > >>> searching here: https://github.com/decke/ports would have been of > >>> help, really. > >>>=20 > >>> So, I'm facing the all-time-present problem of having my own git > >>> server based on HTTPS with self signed certificate. git rejects > >>> connecting to those servers in the default configuration setting. > >>> Usually, I've to set via git config http.sslVerify false > >>> to not verify the certificate.=20 > >>> Following the instructions given at https://github.com/decke/ports > >>> with my existing poudriere setup incorporating a ports folder, > >>> adjusting the URI with the one appropriate for my case, like: > >>>=20 > >>> env GIT_NO_SSL_VERIFY=3Dtrue poudriere ports -c -U > >>> https://myname@my.server.de/git/ports.git -m "git+https" -B master -p > >>> ov-freebsd=20 > >>>=20 > >>> fails with the well known "... problem: self signed certificate". > >>>=20 > >>> Obviously poudriere is spawning its own environment within git > >>> operates (so it seems to me) and is not passing the given environment > >>> variable GIT_NO_SSL_VERIFY=3Dtrue down to git. > >>>=20 > >>> Now, I'm stuck here. I tried, anticpating that the "overlay port's > >>> folder" will be located at the same root as my "head" foleder for the > >>> port's collection will be rooted at, creating an folder "ov-freebsd" > >>> and creating the .git folder and config file with git init --bare > >>> ov-freebsd and then manually config this according to the > >>> specifications given by the initial poudriere command as seen above - > >>> does NOT WORK. It seems git is called to early or never access the > >>> given preexisting folder - or I'm wrong in the assumption of the > >>> location of the overlay folder. > >>>=20 > >>> Also, checking out the "personal" git repo at the anticipated correct > >>> location and configuring "http.sslVerify false" does not succeed as > >>> expected. > >>>=20 > >>> I guess this problem must be very common amongst those having their > >>> own git repository servers backed via a webserver secured via SSL > >>> self signed certificates, so I wonder whether there is a solution or > >>> not. > >>>=20 > >>> Can someone enlighten my? How can I pass the specified env varibale > >>> down poudriere to git to achive the desired task? Assuming this > >>> procedure is correct. If not, what is the proper way to achive that > >>> task? > >>> =20 > >>=20 > >> If you read /usr/local/bin/poudriere you see that it filters the > >> environment. So neither GIT_NO_SSL_VERIFY will come through, nor HOME > >> (which also means that git can't read $HOME/.gitconfig). > >>=20 > >> The pragmatic solution would be to create a git wrapper script and tell > >> poudriere to use it: > >>=20 > >> cat >/tmp/git_wrap <<EOF > >> #!/bin/sh > >> GIT_NO_SSL_VERIFY=3Dtrue git "$@" > >> EOF > >> chmod 755 /tmp/git_wrap > >> echo GIT_CMD=3D/tmp/wrap >>/usr/local/etc/poudriere.conf > >>=20 > >> Cheers > >> Michael > >> =20 > >=20 > > Thank you very much for the quick answer. > >=20 > > Well, the approach is a bit "hacky", but it works, but I had to replace= the part "[env] > > GIT_NO_SSL_VERIFY=3Dtrue" (which is obviously ineffectice and not worki= ng) with=20 > >=20 > > git -c http.sslVerify=3Dfalse "$@" > >=20 > > That written, brings up the question: > >=20 > > is there a official way to pass down options to git as with "-c"? That = would solve the > > hacky wrapper script. > >=20 > > Many thanks, > >=20 > > Oliver > >=20 > > --=20 > > O. Hartmann > > =20 Thank you very much for this hint. It solves several problems with SSL cert= ifivates I faced with for several sites. According to my initial problem and Michale Gmelin's answer, the problem pe= rsists: The initial git call from within poudriere seems to ignore even the ~/.gitc= onfig (HOME is not respected) and usually, when performing some initial pulls with git, I have= to provide git the proper configuration at the command line via git's "-c' option, for instanc= e -c http.proxy=3D""" in some cases or "-c http.sslVeridy=3Dfalse" as shown in the initial questi= on. When using the wrapper script as suggested with git enriched with the prope= r -c options, within the git overlay folder the folder .git contains THEn "config" which = can be configured accordingly and without hazards. The real pain is that poudriere seems not to provide any method to pass som= e "-c options" down to git - or I do not know them. The documentation is a horror and it is har= d for me to find explanations/definitions of such top level env variables like the suggested= "GIT_CMD" referred to by Michael Gmelin. I guess there might be an opportunity to find some "G= IT_CMD_OPTIONS" variable with is expanded to what follows "-c" ... but this is looking into= the magic sphere ... Kind regards, Oliver --=20 O. Hartmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220803175642.7d110ca1>