OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.1.0
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-618
Build: Checkout: Self signed CA certificate / SSH key questions (OD-618)
jbauer opened 4 years ago

I have a OneDev installation in Docker and a reverse proxy pointing to OneDev. The reverse proxy provides SSL using a self signed CA development certificate. This development CA is trusted on developer hosts and thus the server certificate for the reverse proxy is trusted as well.

When I define a build with a checkout step there is a section Clone Credentials containing Default, HTTP(S), SSH.

When using Default the checkout fails with

Step "checkout" is failed: Failed to run command: git fetch https://onedev.dev.local/test-project --force --quiet fb486fa388327cdb5ae1a6bbfe94e51f7960fba5, return code: 128
fatal: unable to access 'https://onedev.dev.local/test-project/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Can I somehow configure the Default checkout to trust the self signed CA certificate so that the server HTTPS cert is considered valid? As a last resort an option to tell git to not verify the SSL cert might be needed. However I would prefer to be able to trust a self signed cert instead of simply ignoring it.

When I choose HTTP(S) I have to define a build secret containing an access token and choosing SSH asks for a build secret containing a private key. Given that HTTPS generally does not work for now because of the self signed CA I would choose SSH for the time being. Which private key should I choose then? What is the best practice? Should I create a new "build" user account which has that private key configured and has access to that (or all) project(s)? When I define a SSH key then all developers who can trigger builds basically act as a different account any maybe gain access to that private key and may use it to gain access to repositories they should not access? Not quite sure how to configure it in a secure manner.

  • Robin Shen commented 4 years ago

    I'd recommend to checkout via SSH in this case, as git sslVerify is not secure and configuring OneDev to trust a self-signed certificate is quite verbose.

    The simplest is to define a common build user with its own private key, with minimum permission to the system. And configure this private key as secret in some root project so that all child projects can inherit. You may configure authorized branches of the private key secret so that only certain branches can access it. Or you can define different build user for different project tree if a common user is way too permissive.

  • Robin Shen changed state to 'Closed' 4 years ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • jbauer changed state to 'Open' 4 years ago
    Previous Value Current Value 
    Closed
    		 
    Open
  • jbauer commented 4 years ago

    Sorry for the late reply. Using a common build user does not seem to work. I have done the following:

    1.) Create user buildbot using code read permissions on all projects 2.) Added an ecdsa publickey to buildbot and added the corresponding private key as a job secret to a top level project (so all other inherit it) 3.) Defined a job with step checkout and used SSH + the created SSH private key job secret for buildbot user

    Now when running the job there the following output:

    Error:

    16:43:30 Running step "checkout"...
16:43:30 Checking out code...
16:43:31 RSA host key for IP address '10.52.12.101' not in list of known hosts.
16:43:31 Load key "/agent/work/onedev-agent-2/temp/temp8767306572624578319/.ssh/id_rsa": invalid format
16:43:31 [email protected]: Permission denied (publickey).
16:43:31 fatal: Could not read from remote repository.
16:43:31
16:43:31 Please make sure you have the correct access rights
16:43:31 and the repository exists.
16:43:31 Step "checkout" is failed: Failed to run command: git fetch ssh://onedev.example.com:6611/example/test-project --force --quiet 3a4ca090d30f46e379e2f1388fee467da604e501, return code: 128
RSA host key for IP address '10.10.10.10' not in list of known hosts.
Load key "/agent/work/onedev-agent-2/temp/temp8767306572624578319/.ssh/id_rsa": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

    1.) The job secret used for SSH private key is always treated as RSA key (job tries to load id_rsa). In my first attempt I actually used an ECDSA key, since I did not know the RSA requirement. However after replacing the ECDSA key with a RSA key the "invalid format" error continue to exist. 2.) The step runs as user root and thus git checkout will try to create a ssh connection using user root and not user buildbot. So even when fixing 1.) things probably still won't work as it uses the wrong user. 3.) The ssh connect complains that the target host is not a known host. However I am not able to add it since I don't have any control. Actually I would need to add multiple hosts to the list of known hosts because the DNS name resolves to multiple docker swarm hosts (port 6611 being an ingress port, so the SSH connect will be routed to the running OneDev instance, regardless on which docker host it runs)

    Not sure how to continue. I am already thinking about a custom Docker image that does the git checkout into the workspace. However I will probably run into the same issue if using some of the Publish... job steps, right?

  • Robin Shen commented 4 years ago

    Please upgrade to 6.3.23 to see if it solves the issue.

  • jbauer commented 4 years ago

    6.3.23 seems to work. Only the known hosts warning is shown.

    But am I right, that I have to use RSA key? Or can elliptic curve based keys be used as well for the checkout step?

  • Robin Shen commented 4 years ago

    The ECDSA key will also work. Known host warning is not a problem as it only means that ssh client can not find host key by ip address. OneDev only populates host key by host name which is enough.

  • jbauer commented 4 years ago

    Ok verified that ECDSA also works.

    However I am still having an issue during the build to access git tags. The build needs to setup some env variables containing information obtained from git so in my OneDev build I need to retrieve git tags. I have defined a second step of type Execute Command and have been using the bitnami:git image for now (later it will be a custom build environment image). The first command I do is git fetch --all --tags, however it fails with a similar error. Then subsequent errors appear because I need to call git describe --tags

    13:23:00 running git fetch --all --tags
13:23:00 Fetching origin
13:23:01 RSA host key for IP address '10.10.10.10' not in list of known hosts.
13:23:01 [email protected]: Permission denied (publickey).
13:23:01 fatal: Could not read from remote repository.
13:23:01
13:23:01 Please make sure you have the correct access rights
13:23:01 and the repository exists.
13:23:01 error: could not fetch origin
13:23:01 fatal: No names found, cannot describe anything.
13:23:01 fatal: No names found, cannot describe anything.

    Seems like the credentials are not setup correctly in the second build step?

  • Robin Shen commented 4 years ago

    This is now fixed in build #2428

  • Robin Shen changed state to 'Closed' 4 years ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • jbauer commented 4 years ago

    Just updated OneDev and indeed it works now. Thanks!

issue 1/1
Type
Question
Priority
Normal
Assignee
Robin Shen
Issue Votes (0)
Login to vote
Watchers (4)
Reference
OD-618
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover