gpt4 book ai didi

使用 TortoiseGit 和 Ansible 执行 Git Pull/Clone 时出现 GitLab SSL 握手错误

转载 作者:太空狗 更新时间:2023-10-29 14:11:59 27 4
gpt4 key购买 nike

希望就我在 RHEL 7 上运行的全新安装的 GitLab 遇到的问题提供一些指示。我将 GitLab 配置为使用 SSL,并使用 https://servername.domainname 在 Web 浏览器中浏览到我们的服务器。工作得很好,但是执行任何类型的 Git 克隆或通过 https pull 都会失败并出现 SSL 错误。

在 Windows(最新版本)上使用 TortoiseGit 执行 Git 克隆时,我收到错误“error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure”,而在使用 Ansible Tower 时,我收到“Peer's Certificate issuer is无法识别。”

我尝试编辑 GitLab 的 gitlab.rb 文件以允许各种 SSL 密码和版本,但似乎没有任何效果(另外,我宁愿不允许弱密码或易受攻击的 SSL 版本)。

用于 GitLab 的 SSL 证书是 GoDaddy 证书,不是自签名的。

我的 gitlab.rb Nginx 配置内容是(抱歉,我知道它很长):

################
# GitLab Nginx #
################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/doc/settings/nginx.md

nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
ci_nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.cer" # Most root CA's are included by default
nginx['ssl_certificate'] = "/etc/gitlab/ssl/sslcert.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/sslcert.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
# nginx['listen_addresses'] = ['*']
# nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# nginx['proxy_read_timeout'] = 300
# nginx['proxy_connect_timeout'] = 300
# nginx['proxy_set_headers'] = {
# "Host" => "$http_host",
# "X-Real-IP" => "$remote_addr",
# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
# "X-Forwarded-Proto" => "https",
# "X-Forwarded-Ssl" => "on"
# }
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
# nginx['proxy_cache'] = 'gitlab'
# nginx['http2_enabled'] = true

## Advanced settings
# nginx['dir'] = "/var/opt/gitlab/nginx"
nginx['log_directory'] = "/var/log/gitlab/nginx"
# nginx['worker_processes'] = 4
# nginx['worker_connections'] = 10240
# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
# nginx['sendfile'] = 'on'
# nginx['tcp_nopush'] = 'on'
# nginx['tcp_nodelay'] = 'on'
# nginx['gzip'] = "on"
# nginx['gzip_http_version'] = "1.0"
# nginx['gzip_comp_level'] = "2"
# nginx['gzip_proxied'] = "any"
# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
# nginx['keepalive_timeout'] = 65
# nginx['cache_max_size'] = '5000m'

在这些设置之外,我的 gitlab.rb 文件几乎是默认的(已配置 LDAP)。

从我的 Ansible 服务器(RHEL 7,最新的 curl 版本)运行 curl:

 curl -v https://gitlabserver.domain.com
* About to connect() to gitlabserver.domain.com port 443 (#0)
* Trying ip address...
* Connected to gitlabserver.domain.com (ipaddress) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

我是否可以运行任何其他测试来帮助诊断 Git 克隆进程的 https 问题?

最佳答案

迟到总比不迟到好:我遇到了同样的问题,并通过将来 self 的 CA 的中间证书和我的 .crt 连接成一个组合的 .crt 来解决它,然后由 nginx 使用。

更多信息在这里:https://www.digicert.com/ssl-certificate-installation-nginx.htm

关于使用 TortoiseGit 和 Ansible 执行 Git Pull/Clone 时出现 GitLab SSL 握手错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37176678/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com