Date: Wed, 3 Aug 2022 07:50:35 -0700 From: Zachary Crownover <zachary.crownover@gmail.com> To: FreeBSD User <freebsd@walstatt-de.de> Cc: Michael Gmelin <grembo@freebsd.org>, FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: poudriere overlay: passing down git ENV variables (problem: self signed certificates) Message-ID: <519322B9-3AB9-4B83-B516-0F3595DB9E44@gmail.com> In-Reply-To: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de> References: <20220803162922.396e8f25@thor.intern.walstatt.dynvpn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Choosing to not verify a certificate defeats the entire point of using the c= ertificate and you may as well not use it at all. The better thing to do is t= rust it. Rather than try to take credit for someone else=E2=80=99s work in c= ompiling a walk through, I=E2=80=99ll simply link a blog post that will give= an example for git. https://jhooq.com/2-ways-to-fix-ssl-certificate-problem-self-signed-certific= ate-in-certificate-chain/#git-clone > On Aug 3, 2022, at 07:29, FreeBSD User <freebsd@walstatt-de.de> wrote: >=20 > =EF=BB=BFAm Wed, 3 Aug 2022 14:27:04 +0200 > Michael Gmelin <grembo@freebsd.org> schrieb: >=20 >>> On Wed, 3 Aug 2022 12:38:26 +0200 >>> FreeBSD User <freebsd@walstatt-de.de> wrote: >>>=20 >>> Hello, >>>=20 >>> I try to acconplish tasks in maintaining ports via poudriere-devel's >>> OVERLAY option. First of all: >>>=20 >>> it is a pain in the a... not having ANY suitable hint how to perform >>> this, a single line like that I found after a couple of hours >>> searching here: https://github.com/decke/ports would have been of >>> help, really. >>>=20 >>> So, I'm facing the all-time-present problem of having my own git >>> server based on HTTPS with self signed certificate. git rejects >>> connecting to those servers in the default configuration setting. >>> Usually, I've to set via git config http.sslVerify false >>> to not verify the certificate.=20 >>> Following the instructions given at https://github.com/decke/ports >>> with my existing poudriere setup incorporating a ports folder, >>> adjusting the URI with the one appropriate for my case, like: >>>=20 >>> env GIT_NO_SSL_VERIFY=3Dtrue poudriere ports -c -U >>> https://myname@my.server.de/git/ports.git -m "git+https" -B master -p >>> ov-freebsd=20 >>>=20 >>> fails with the well known "... problem: self signed certificate". >>>=20 >>> Obviously poudriere is spawning its own environment within git >>> operates (so it seems to me) and is not passing the given environment >>> variable GIT_NO_SSL_VERIFY=3Dtrue down to git. >>>=20 >>> Now, I'm stuck here. I tried, anticpating that the "overlay port's >>> folder" will be located at the same root as my "head" foleder for the >>> port's collection will be rooted at, creating an folder "ov-freebsd" >>> and creating the .git folder and config file with git init --bare >>> ov-freebsd and then manually config this according to the >>> specifications given by the initial poudriere command as seen above - >>> does NOT WORK. It seems git is called to early or never access the >>> given preexisting folder - or I'm wrong in the assumption of the >>> location of the overlay folder. >>>=20 >>> Also, checking out the "personal" git repo at the anticipated correct >>> location and configuring "http.sslVerify false" does not succeed as >>> expected. >>>=20 >>> I guess this problem must be very common amongst those having their >>> own git repository servers backed via a webserver secured via SSL >>> self signed certificates, so I wonder whether there is a solution or >>> not. >>>=20 >>> Can someone enlighten my? How can I pass the specified env varibale >>> down poudriere to git to achive the desired task? Assuming this >>> procedure is correct. If not, what is the proper way to achive that >>> task? >>>=20 >>=20 >> If you read /usr/local/bin/poudriere you see that it filters the >> environment. So neither GIT_NO_SSL_VERIFY will come through, nor HOME >> (which also means that git can't read $HOME/.gitconfig). >>=20 >> The pragmatic solution would be to create a git wrapper script and tell >> poudriere to use it: >>=20 >> cat >/tmp/git_wrap <<EOF >> #!/bin/sh >> GIT_NO_SSL_VERIFY=3Dtrue git "$@" >> EOF >> chmod 755 /tmp/git_wrap >> echo GIT_CMD=3D/tmp/wrap >>/usr/local/etc/poudriere.conf >>=20 >> Cheers >> Michael >>=20 >=20 > Thank you very much for the quick answer. >=20 > Well, the approach is a bit "hacky", but it works, but I had to replace th= e part "[env] > GIT_NO_SSL_VERIFY=3Dtrue" (which is obviously ineffectice and not working)= with=20 >=20 > git -c http.sslVerify=3Dfalse "$@" >=20 > That written, brings up the question: >=20 > is there a official way to pass down options to git as with "-c"? That wou= ld solve the hacky > wrapper script. >=20 > Many thanks, >=20 > Oliver >=20 > --=20 > O. Hartmann >=20 --Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D= utf-8"></head><body dir=3D"auto"><div dir=3D"ltr"></div><div dir=3D"ltr">Cho= osing to not verify a certificate defeats the entire point of using the cert= ificate and you may as well not use it at all. The better thing to do is tru= st it. Rather than try to take credit for someone else=E2=80=99s work in com= piling a walk through, I=E2=80=99ll simply link a blog post that will give a= n example for git.</div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><a href=3D= "https://jhooq.com/2-ways-to-fix-ssl-certificate-problem-self-signed-certifi= cate-in-certificate-chain/#git-clone">https://jhooq.com/2-ways-to-fix-ssl-ce= rtificate-problem-self-signed-certificate-in-certificate-chain/#git-clone</a= ></div><div dir=3D"ltr"><br><blockquote type=3D"cite">On Aug 3, 2022, at 07:= 29, FreeBSD User <freebsd@walstatt-de.de> wrote:<br><br></blockquote><= /div><blockquote type=3D"cite"><div dir=3D"ltr">=EF=BB=BF<span>Am Wed, 3 Aug= 2022 14:27:04 +0200</span><br><span>Michael Gmelin <grembo@freebsd.org&g= t; schrieb:</span><br><span></span><br><blockquote type=3D"cite"><span>On We= d, 3 Aug 2022 12:38:26 +0200</span><br></blockquote><blockquote type=3D"cite= "><span>FreeBSD User <freebsd@walstatt-de.de> wrote:</span><br></block= quote><blockquote type=3D"cite"><span></span><br></blockquote><blockquote ty= pe=3D"cite"><blockquote type=3D"cite"><span>Hello,</span><br></blockquote></= blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span></span>= <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"= cite"><span>I try to acconplish tasks in maintaining ports via poudriere-dev= el's</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockquo= te type=3D"cite"><span>OVERLAY option. First of all:</span><br></blockquote>= </blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span></spa= n><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D= "cite"><span>it is a pain in the a... not having ANY suitable hint how to pe= rform</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockqu= ote type=3D"cite"><span>this, a single line like that I found after a couple= of hours</span><br></blockquote></blockquote><blockquote type=3D"cite"><blo= ckquote type=3D"cite"><span>searching here: https://github.com/decke/ports w= ould have been of</span><br></blockquote></blockquote><blockquote type=3D"ci= te"><blockquote type=3D"cite"><span>help, really.</span><br></blockquote></b= lockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span></span><= br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"c= ite"><span>So, I'm facing the all-time-present problem of having my own git<= /span><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote ty= pe=3D"cite"><span>server based on HTTPS with self signed certificate. git re= jects</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockqu= ote type=3D"cite"><span>connecting to those servers in the default configura= tion setting.</span><br></blockquote></blockquote><blockquote type=3D"cite">= <blockquote type=3D"cite"><span>Usually, I've to set via git config http.ssl= Verify false</span><br></blockquote></blockquote><blockquote type=3D"cite"><= blockquote type=3D"cite"><span>to not verify the certificate. </span><br></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><= span>Following the instructions given at https://github.com/decke/ports</spa= n><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D= "cite"><span>with my existing poudriere setup incorporating a ports folder,<= /span><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote ty= pe=3D"cite"><span>adjusting the URI with the one appropriate for my case, li= ke:</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockquot= e type=3D"cite"><span></span><br></blockquote></blockquote><blockquote type=3D= "cite"><blockquote type=3D"cite"><span>env GIT_NO_SSL_VERIFY=3Dtrue poudrier= e ports -c -U</span><br></blockquote></blockquote><blockquote type=3D"cite">= <blockquote type=3D"cite"><span>https://myname@my.server.de/git/ports.git -m= "git+https" -B master -p</span><br></blockquote></blockquote><blockquote ty= pe=3D"cite"><blockquote type=3D"cite"><span>ov-freebsd </span><br></blockquo= te></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span></= span><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote typ= e=3D"cite"><span>fails with the well known "... problem: self signed certifi= cate".</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockq= uote type=3D"cite"><span></span><br></blockquote></blockquote><blockquote ty= pe=3D"cite"><blockquote type=3D"cite"><span>Obviously poudriere is spawning i= ts own environment within git</span><br></blockquote></blockquote><blockquot= e type=3D"cite"><blockquote type=3D"cite"><span>operates (so it seems to me)= and is not passing the given environment</span><br></blockquote></blockquot= e><blockquote type=3D"cite"><blockquote type=3D"cite"><span>variable G= IT_NO_SSL_VERIFY=3Dtrue down to git.</span><br></blockquote></blockquo= te><blockquote type=3D"cite"><blockquote type=3D"cite"><span></span><br></bl= ockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><s= pan>Now, I'm stuck here. I tried, anticpating that the "overlay port's</span= ><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D= "cite"><span>folder" will be located at the same root as my "head" foleder f= or the</span><br></blockquote></blockquote><blockquote type=3D"cite"><blockq= uote type=3D"cite"><span>port's collection will be rooted at, creating an fo= lder "ov-freebsd"</span><br></blockquote></blockquote><blockquote type=3D"ci= te"><blockquote type=3D"cite"><span>and creating the .git folder and config f= ile with git init --bare</span><br></blockquote></blockquote><blockquote typ= e=3D"cite"><blockquote type=3D"cite"><span>ov-freebsd and then manually conf= ig this according to the</span><br></blockquote></blockquote><blockquote typ= e=3D"cite"><blockquote type=3D"cite"><span>specifications given by the initi= al poudriere command as seen above -</span><br></blockquote></blockquote><bl= ockquote type=3D"cite"><blockquote type=3D"cite"><span>does NOT WORK. It see= ms git is called to early or never access the</span><br></blockquote></block= quote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>given preexi= sting folder - or I'm wrong in the assumption of the</span><br></blockquote>= </blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>locat= ion of the overlay folder.</span><br></blockquote></blockquote><blockquote t= ype=3D"cite"><blockquote type=3D"cite"><span></span><br></blockquote></block= quote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>Also, checki= ng out the "personal" git repo at the anticipated correct</span><br></blockq= uote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>= location and configuring "http.sslVerify false" does not succeed as</span><b= r></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci= te"><span>expected.</span><br></blockquote></blockquote><blockquote type=3D"= cite"><blockquote type=3D"cite"><span></span><br></blockquote></blockquote><= blockquote type=3D"cite"><blockquote type=3D"cite"><span>I guess this proble= m must be very common amongst those having their</span><br></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>own git r= epository servers backed via a webserver secured via SSL</span><br></blockqu= ote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>s= elf signed certificates, so I wonder whether there is a solution or</span><b= r></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci= te"><span>not.</span><br></blockquote></blockquote><blockquote type=3D"cite"= ><blockquote type=3D"cite"><span></span><br></blockquote></blockquote><block= quote type=3D"cite"><blockquote type=3D"cite"><span>Can someone enlighten my= ? How can I pass the specified env varibale</span><br></blockquote></blockqu= ote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>down poudriere= to git to achive the desired task? Assuming this</span><br></blockquote></b= lockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><span>procedur= e is correct. If not, what is the proper way to achive that</span><br></bloc= kquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><spa= n>task?</span><br></blockquote></blockquote><blockquote type=3D"cite"><block= quote type=3D"cite"><span></span><br></blockquote></blockquote><blockquote t= ype=3D"cite"><span></span><br></blockquote><blockquote type=3D"cite"><span>I= f you read /usr/local/bin/poudriere you see that it filters the</span><br></= blockquote><blockquote type=3D"cite"><span>environment. So neither GIT_NO_SS= L_VERIFY will come through, nor HOME</span><br></blockquote><blockquote type= =3D"cite"><span>(which also means that git can't read $HOME/.gitconfig).</sp= an><br></blockquote><blockquote type=3D"cite"><span></span><br></blockquote>= <blockquote type=3D"cite"><span>The pragmatic solution would be to create a g= it wrapper script and tell</span><br></blockquote><blockquote type=3D"cite">= <span>poudriere to use it:</span><br></blockquote><blockquote type=3D"cite">= <span></span><br></blockquote><blockquote type=3D"cite"><span>cat >/tmp/g= it_wrap <<EOF</span><br></blockquote><blockquote type=3D"cite"><span>#= !/bin/sh</span><br></blockquote><blockquote type=3D"cite"><span>GIT_NO_SSL_V= ERIFY=3Dtrue git "$@"</span><br></blockquote><blockquote type=3D"cite"><span= >EOF</span><br></blockquote><blockquote type=3D"cite"><span>chmod 755 /tmp/g= it_wrap</span><br></blockquote><blockquote type=3D"cite"><span>echo GIT_CMD=3D= /tmp/wrap >>/usr/local/etc/poudriere.conf</span><br></blockquote><bloc= kquote type=3D"cite"><span></span><br></blockquote><blockquote type=3D"cite"= ><span>Cheers</span><br></blockquote><blockquote type=3D"cite"><span>Michael= </span><br></blockquote><blockquote type=3D"cite"><span></span><br></blockqu= ote><span></span><br><span>Thank you very much for the quick answer.</span><= br><span></span><br><span>Well, the approach is a bit "hacky", but it works,= but I had to replace the part "[env]</span><br><span>GIT_NO_SSL_VERIFY=3Dtr= ue" (which is obviously ineffectice and not working) with </span><br><span><= /span><br><span>git -c http.sslVerify=3Dfalse "$@"</span><br><span></span><b= r><span>That written, brings up the question:</span><br><span></span><br><sp= an>is there a official way to pass down options to git as with "-c"? That wo= uld solve the hacky</span><br><span>wrapper script.</span><br><span></span><= br><span>Many thanks,</span><br><span></span><br><span>Oliver</span><br><spa= n></span><br><span>-- </span><br><span>O. Hartmann</span><br><span></span><b= r></div></blockquote></body></html>= --Apple-Mail-7ABA79F8-64DC-48EB-A9CE-F2649651B443--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?519322B9-3AB9-4B83-B516-0F3595DB9E44>