WOODPECKER_GITEA_SKIP_VERIFY is no effect

[zxcvbnm3057]

Component

server

Describe the bug

I set both WOODPECKER_GITEA_SKIP_VERIFY=true and DRONE_GITEA_SKIP_VERIFY=true in docker environment but still get the error x509: certificate signed by unknown authority . My server is using cert sign by Encryption Everywhere DV TLS CA - G1. Any help?

System Info

{"source":"https://github.com/woodpecker-ci/woodpecker","version":"v0.14.3"}

Additional context

time="2021-12-13T09:27:56Z" level=error msg="cannot authenticate user. Post \"https://******/login/oauth/access_token\": x509: certificate signed by unknown authority"

Validations

• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A join our Discord Chat Server.

[6543]

since I guess it's about go-gitea/gitea#17964

you have to use the current master branch until v0.15.0 got released - so just stick to latest
(v0.14.* do not support path​ filter for gitea)

[6543]

and I guess the root CAs would need an update so we would have to backport the docker files and rebuild - that should fix it

[zxcvbnm3057]

thanks, I have solved it. That was nginx-proxy.

[zxcvbnm3057]

new error:

time="2021-12-13T20:15:27Z" level=error msg="cannot authenticate user. oauth2: cannot fetch token: 405 Method Not Allowed\nResponse: "

It happened when I confirm the oauth request in gitea

[zxcvbnm3057]

There is also an error report in Gitea log

Completed GET /login/oauth/access_token 405 Method Not Allowed in 204.447µs

[zxcvbnm3057]

and I guess the root CAs would need an update so we would have to backport the docker files and rebuild - that should fix it

That might be. But I still confuse about why WOODPECKER_GITEA_SKIP_VERIFY and DRONE_GITEA_SKIP_VERIFY doesn't work?

[6543]

well they should work for selve signed certs

[deB4SH]

Hi,
tested this feature with the image woodpeckerci/woodpecker-server:v0.15 and WOODPECKER_GITEA_SKIP_VERIFY seems to still have no effect.
The git certificate is signed by my own ca.

{"time":"2022-03-22T17:17:48Z","message":"LogLevel = warn"}
{"level":"error","time":"2022-03-22T17:18:00Z","message":"cannot authenticate user. Post \"https://git.lan/login/oauth/access_token\": x509: certificate signed by unknown authority"}

[pixrl]

Hi, tested this feature with the image woodpeckerci/woodpecker-server:v0.15 and WOODPECKER_GITEA_SKIP_VERIFY seems to still have no effect. The git certificate is signed by my own ca.

{"time":"2022-03-22T17:17:48Z","message":"LogLevel = warn"}
{"level":"error","time":"2022-03-22T17:18:00Z","message":"cannot authenticate user. Post \"https://git.lan/login/oauth/access_token\": x509: certificate signed by unknown authority"}

I confirm that it does not work for me aswell.

{"level":"error","time":"2022-07-20T19:36:04+02:00","message":"cannot authenticate user. Post \"https://git.lan/login/oauth/access_token\": x509: certificate signed by unknown authority"}

woodpecker-server version 0.15.3

[ptpu]

Hey, i have the same issue on that. I'm using step-ca for self-signed certifcates. And setting WOODPECKER_GITEA_SKIP_VERIFY does not have an effect and I get the same error as mentioned above.

[6543]

I just fixed the issue for gitlab ... so I'll now know what to do :)

[metzgerd]

Is this already implemented in the latest / next docker image?
I tried both versions with WOODPECKER_GITEA_SKIP_VERIFY=true but still get the following error message on clone during the pipeline.

+ git fetch --no-tags origin +refs/heads/main:
fatal: unable to access 'https://git.demo.com/test/test.git/': SSL certificate problem: self-signed certificate

[6543]

ah that's a plugin-git thing ... you need a custom clone step too:

• https://woodpecker-ci.org/docs/usage/pipeline-syntax#clone
• https://woodpecker-ci.org/plugins/plugin-git

  settings:
    skip_verify: true

[metzgerd]

Perfect. Thank you. One Step further.
Now it says could not read user name. I will have a deeper look in the documentation.
fatal: could not read Username for 'https://git.demo.com': No such device or address

[6543]

it user netrc to auth ...

[metzgerd]

Thank you for the hint with netrc. Its working with public Repos but not working on private Repos. But I do not know how to troubleshoot.

woodpecker-agent     | {"level":"debug","repo":"test/test","build":"25","id":"89","image":"docker.io/woodpeckerci/plugin-git:latest","stage":"git","time":"2022-09-12T07:42:55Z","message":"log stream opened"}
gitea                | 2022/09/12 07:42:55 [631ee2ff] router: completed GET /test/test.git/info/refs?service=git-upload-pack for 172.18.0.1:0, 401 Unauthorized in 2.1ms @ repo/http.go:532(repo.GetInfoRefs)

[6543]

See what gitea api reports if you get repo info ... it should have private: true but currently there are edgecases where it's not (if org is priv .or limit. and repo set to public, api reports public even if it's not)

[6543]

@metzgerd this is worth it's own issue I'll lock this one now, for chating we have discord or matrix