Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] git is broken when called from emerge (ssl ca)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
jamapii
l33t
l33t


Joined: 16 Sep 2004
Posts: 603

PostPosted: Tue Sep 15, 2020 1:16 pm    Post subject: [solved] git is broken when called from emerge (ssl ca) Reply with quote

Hi

Sorry for the duplicate, but literally ALL search terms are blocked except for generic meaningless ones (ssl ca).

git works fine. ca-certificates is installed fine. Other installations are even working. Everything is working perfectly, except when emerge calls git on a specific box. Then, a variant of this error comes up:

Code:

git fetch https://github.com/Obsidian-StudiosInc/entrance.git +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/Obsidian-StudiosInc/entrance.git/': Problem with the SSL CA cert (path? access rights?)


There is no such thing as a more verbose mode of anything.

As there is no such thing as a git:// or http:// URL, this prevents fetching any and all -9999 ebuilds.

So I did a git config line resulting in:
Code:

# cat /root/.gitconfig
[http]
        sslVerify = false


This works around it for layman (gentoo repositories), but not for -9999 ebuilds.

FEATURES="-usersandbox -userpriv -sandbox -network-sandbox" does nothing to work around it.

I can tell from earlier downloads, it is done as user "portage". So let's try:

Code:

# su portage
# echo $UID
0
# echo $USER
root
# su -l portage
# echo $USER   
root
# echo $UID   
0


Never mind, just fun to mention. ...

Code:
sudo -u portage sh


Works, so it is possible to switch to user portage.

Code:

$ cd   # Necessary
$ git config --global http.sslVerify false


No error message. I don't know where it has been put, but it seems to work.

Code:

# FEATURES="-usersandbox -userpriv -sandbox -network-sandbox" emerge entrance


...

same error message as before.

So, when emerge calls git, it ignores all CA certs, ignores all config, blocks all possible workarounds, and does not work, pointing to ignored CA certs.

Not that it matters, but: unset HTTP_PROXY HTTPS_PROXY http_proxy https_proxy
and no proxy is being used.

How to work around, or how to fix?

thanks


Last edited by jamapii on Sat Sep 19, 2020 8:51 am; edited 1 time in total
Back to top
View user's profile Send private message
Ionen
Veteran
Veteran


Joined: 06 Dec 2018
Posts: 1456

PostPosted: Tue Sep 15, 2020 1:38 pm    Post subject: Reply with quote

git uses libcurl for fetching, so curl is what needs looking at

Are you using CURL_SSL=nss by any chances? If so, may want to see this thread (its topic isn't very clear on what it's about so it's easy to miss). I recommend to remove the gitconfig workaround either way, removing ssl verification is not the right solution.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16228

PostPosted: Tue Sep 15, 2020 5:05 pm    Post subject: Reply with quote

If you still need help, please post the output of emerge --verbose --info dev-vcs/git net-misc/curl dev-libs/nss dev-libs/openssl.
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 828

PostPosted: Tue Sep 15, 2020 8:54 pm    Post subject: Reply with quote

Sorry about the thread topic, I wanted to be as specific as possible about the underlying reason for the failure.

GIT_CURL_VERBOSE is very handy when investigating git access problems.
Back to top
View user's profile Send private message
jamapii
l33t
l33t


Joined: 16 Sep 2004
Posts: 603

PostPosted: Sat Sep 19, 2020 8:51 am    Post subject: Reply with quote

Thanks a lot everyone, that referenced thread is very informative.

I tried emerge --verbose --info dev-vcs/git net-misc/curl dev-libs/nss dev-libs/openssl and one thing is notable:

Code:

net-misc/curl-7.72.0::gentoo was built with the following:
USE="brotli ftp http2 idn imap ipv6 metalink openssl pop3 progress-meter rtmp samba smtp ssh ssl tftp threads -adns -alt-svc -gnutls -gopher -kerberos -ldap -libressl -mbedtls (-nghttp3) -nss (-quiche) -static-libs -telnet -test (-winssl)" ABI_X86="32 (64) (-x32)" CURL_SSL="nss -gnutls -libressl -mbedtls -openssl (-winssl)"


CURL_SSL=nss but USE=-nss, that doesn't seem to make much sense. So I set USE=nss just for curl. Now emerging nss-pem and curl (maybe overkill but seems correct).

...

With this, git https:// works again, also setting back: git config --global http.sslVerify true
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum