I am in the process of upgrading from Kirkstone to Scarthgap (via Langdale,
Mickledore and Nanbield). As my host system (openSUSE) doesn't meet the
system requirements, I use the buildtools-extended tarball.
Since the migration step from Mickledore to Nanbield, I cannot access my
company's GIT server (runing GitLab, requires https + authentifaction) anymore.
When I use the GIT client from openSUSE, everything works fine, but when
the GIT command from the buildtools tarball is used, I get a
"remote: HTTP Basic: Access denied."
error message (log below). When I compare this log with the working version,
I see that ...
- h2 is used instead of http/1.1
- authentication happens straight after SSL setup (before the GET command)
Could the GIT client in the buildtools tarball be configured in a way that
it works with https + authentication?
GIT_TRACE_CURL=TRUE GIT_TRACE_CURL_NO_DATA=1 GIT_TRACE_REDACT=FALSE
GIT_TRACE2_REDACT=FALSE git clone g...@git.mycompany.com:myrepo.git
Cloning into 'myrepo'...
12:35:38.736181 http.c:820 == Info: Trying xxx.xxx.xxx.xxx:443...
12:35:38.736581 http.c:820 == Info: Connected to git.mycompany.com
(xxx.xxx.xxx.xxx) port 443
12:35:38.738282 http.c:820 == Info: ALPN: curl offers http/1.1
12:35:38.738544 http.c:820 == Info: TLSv1.3 (OUT), TLS handshake,
Client hello (1):
12:35:38.749279 http.c:820 == Info: CAfile:
/build/buildtools/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
12:35:38.749303 http.c:820 == Info: CApath: none
12:35:38.749385 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Server hello (2):
12:35:38.749698 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Encrypted Extensions (8):
12:35:38.749722 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Certificate (11):
12:35:38.750274 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
CERT verify (15):
12:35:38.750368 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Finished (20):
12:35:38.750407 http.c:820 == Info: TLSv1.3 (OUT), TLS change
cipher, Change cipher spec (1):
12:35:38.750432 http.c:820 == Info: TLSv1.3 (OUT), TLS handshake,
Finished (20):
12:35:38.750537 http.c:820 == Info: SSL connection using TLSv1.3 /
TLS_AES_256_GCM_SHA384
12:35:38.750546 http.c:820 == Info: ALPN: server accepted http/1.1
12:35:38.750555 http.c:820 == Info: Server certificate:
12:35:38.750571 http.c:820 == Info: subject: CN=*.mycompany.com
12:35:38.750581 http.c:820 == Info: start date: Feb 28 00:00:00
2024 GMT
12:35:38.750589 http.c:820 == Info: expire date: Mar 15 23:59:59
2025 GMT
12:35:38.750606 http.c:820 == Info: subjectAltName: host
"git.mycompany.com" matched cert's "*.mycompany.com"
12:35:38.750622 http.c:820 == Info: issuer: C=GB; ST=Greater
Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation
Secure Server CA
12:35:38.750629 http.c:820 == Info: SSL certificate verify ok.
12:35:38.750632 http.c:820 == Info: using HTTP/1.1
NOTE: openSUSE's GIT client uses
HTTP/2 here and also performs authentication here.
12:35:38.750680 http.c:767 => Send header, 0000000247 bytes
(0x000000f7)
12:35:38.750688 http.c:779 => Send header: GET
/myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
12:35:38.750690 http.c:779 => Send header: Host: git.mycompany.com
12:35:38.750692 http.c:779 => Send header: User-Agent: git/2.42.0
12:35:38.750694 http.c:779 => Send header: Accept: */*
12:35:38.750696 http.c:779 => Send header: Accept-Encoding:
deflate, gzip
12:35:38.750698 http.c:779 => Send header: Pragma: no-cache
12:35:38.750699 http.c:779 => Send header: Git-Protocol: version=2
12:35:38.750701 http.c:779 => Send header:
12:35:38.764115 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Newsession Ticket (4):
12:35:38.764234 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Newsession Ticket (4):
12:35:38.764247 http.c:820 == Info: old SSL session ID is stale,
removing
12:35:38.774919 http.c:767 <= Recv header, 0000000027 bytes
(0x0000001b)
12:35:38.774944 http.c:779 <= Recv header: HTTP/1.1 401
Unauthorized
NOTE: working version returns
"HTTP/2 401" here.
12:35:38.774947 http.c:767 <= Recv header, 0000000015 bytes
(0x0000000f)
12:35:38.774949 http.c:779 <= Recv header: Server: nginx
12:35:38.774953 http.c:767 <= Recv header, 0000000037 bytes
(0x00000025)
12:35:38.774954 http.c:779 <= Recv header: Date: Tue, 07 May 2024
12:35:38 GMT
12:35:38.774957 http.c:767 <= Recv header, 0000000041 bytes
(0x00000029)
12:35:38.774963 http.c:779 <= Recv header: Content-Type:
text/plain; charset=utf-8
12:35:38.774973 http.c:767 <= Recv header, 0000000021 bytes
(0x00000015)
12:35:38.774977 http.c:779 <= Recv header: Content-Length: 270
12:35:38.774980 http.c:767 <= Recv header, 0000000024 bytes
(0x00000018)
12:35:38.774982 http.c:779 <= Recv header: Connection: keep-alive
12:35:38.774987 http.c:767 <= Recv header, 0000000025 bytes
(0x00000019)
12:35:38.774989 http.c:779 <= Recv header: Cache-Control: no-cache
12:35:38.774991 http.c:767 <= Recv header, 0000000014 bytes
(0x0000000e)
12:35:38.774996 http.c:779 <= Recv header: Vary: Accept
12:35:38.774999 http.c:767 <= Recv header, 0000000040 bytes
(0x00000028)
12:35:38.775001 http.c:779 <= Recv header: WWW-Authenticate: Basic
realm="GitLab"
12:35:38.775007 http.c:767 <= Recv header, 0000000033 bytes
(0x00000021)
12:35:38.775009 http.c:779 <= Recv header: X-Content-Type-Options:
nosniff
12:35:38.775015 http.c:767 <= Recv header, 0000000028 bytes
(0x0000001c)
12:35:38.775018 http.c:779 <= Recv header: X-Download-Options:
noopen
12:35:38.775020 http.c:767 <= Recv header, 0000000029 bytes
(0x0000001d)
12:35:38.775025 http.c:779 <= Recv header: X-Frame-Options:
SAMEORIGIN
12:35:38.775028 http.c:767 <= Recv header, 0000000078 bytes
(0x0000004e)
12:35:38.775033 http.c:779 <= Recv header: X-Gitlab-Meta:
{"correlation_id":"XXXXXXXXXXXXXXXXXXXXXXXXXX","version":"1"}
12:35:38.775036 http.c:767 <= Recv header, 0000000041 bytes
(0x00000029)
12:35:38.775041 http.c:779 <= Recv header:
X-Permitted-Cross-Domain-Policies: none
12:35:38.775044 http.c:767 <= Recv header, 0000000042 bytes
(0x0000002a)
12:35:38.775046 http.c:779 <= Recv header: X-Request-Id:
XXXXXXXXXXXXXXXXXXXXXXXXXX
12:35:38.775051 http.c:767 <= Recv header, 0000000021 bytes
(0x00000015)
12:35:38.775053 http.c:779 <= Recv header: X-Runtime: 0.021434
12:35:38.775056 http.c:767 <= Recv header, 0000000021 bytes
(0x00000015)
12:35:38.775061 http.c:779 <= Recv header: X-Xss-Protection: 0
12:35:38.775064 http.c:767 <= Recv header, 0000000002 bytes
(0x00000002)
12:35:38.775071 http.c:779 <= Recv header:
12:35:38.775087 http.c:820 == Info: Connection #0 to host
git.mycompany.com left intact
remote: HTTP Basic: Access denied. The provided password or token is incorrect
or your account has 2FA enabled and you must use a personal access token
instead of a password. See
https://git.mycompany.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'https://git.mycompany.com/myrepo.git/'
_______________________________________________________
Christian
Eggers
Software Engineer
ARRI
Arnold & Richter Cine Technik GmbH & Co. Betriebs KG
Arriweg 17,
83071
Stephanskirchen
www.arri.com
+49 8036 3009-3118
cegg...@arri.de
Arnold & Richter Cine Technik GmbH & Co. Betriebs KG
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer:
HRA 57918
Persönlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer:
HRB 54477
Geschäftsführer: Dr. Matthias Erb (Chairman); Lars Weyer; Walter Trauninger
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199093):
https://lists.openembedded.org/g/openembedded-core/message/199093
Mute This Topic: https://lists.openembedded.org/mt/105959618/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
