support authentication with TLS client certificates #451
Labels
No Label
kind/breaking
kind/bug
kind/build
kind/dependency
kind/deployment
kind/docs
kind
enhancement
kind
feature
kind/proposal
kind
question
kind
refactor
kind/security
kind/testing
kind/translation
priority/critical
priority/high
priority/low
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
skip-changelog
status/blocked
status/has-backport
status/has-pull
status/needs-backport
status/needs-feedback
status/needs-reviews
status/wip
upstream/gitea
upstream/sdk
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/tea#451
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I've set up a gitea server,
It's local; uses self-signed SSL certs, signed by my local CA. Certs are correctly added to system/OS ssl store.
The gitea instance sits behind an nginx frontend -- UI via https:// in browser works great. As does ssh:// push & clone.
Next, I installed 'tea' cli
When I exec a
login add
,Seems I need to convince
tea
to use system ssl cert store &/or pass specific CA/cert paths.Afaict, no option's available, per
tea login add --help
How do I get tea+SSL for my instance?
discussion not relevant to the feature proposal
tea gives you two options:tea login edit
) to disable certificate validation using theinsecure: true
parameterIf you really need to add this cert to tea only, you could implement that, by adding an option to load a custom cert here
edit: I see you used the
--insecure
flag when registering the login. Are you sure that worked as intended? You may need to specify--insecure true
instead.edit2: Are you saying, that the cert added to the system store was not recognized by tea? That indeed might be an issue. Which OS are you running tea on?
discussion not relevant to the feature proposal
@noerwas mentioned,
They are already.
They're widely used here locally by other tools.
My certs are visible/correct/updated in the trusted store, and usable to fully verify server/app certs
reading the help
doesn't require a value.
& checking, just to be certain,
returns the same error as reported above
If you added your CA to one of these locations (assuming you're on linux), this should not occur, and you shouldn't be needing to specify
--insecure
.Maybe you're hitting the same issue as this person, they also require a client side cert and use a local CA.
This hints either at an issue with your certificates, or maybe, maybe with the golang TLS client in this specific configuration. idk, that's far outside my area.
I just now understood what you're asking for (derived only from the quoted bit above; it would be helpful to be more explicit about your environment and the thing you want to achieve next time).
So you have configured your nginx proxy to require clients to authenticate with a client cert by setting
ssl_verify_client
. And expect tea to send that client certificate to your nginx host.That's indeed not supported:
Turns out, golang's TLS client doesn't implement looking up matching client certs in truststores, they need to be specified manually.
A quick search didn't yield any golang NSS implementations (and we try to avoid using cgo / C dependencies), so I don't think we'll implement that functionality.
(I don't know what trust store you put your client cert into, I'll assume it's NSS).
With much less effort, we could of course add a flag where logins can specify a path to a client certificate.
indeed, sorry for confusing that
aside: you posted a sensitive gitea access_token above, you may want to cycle that.
@noerw
this looks like a start
https://github.com/protosam/go-libnss
that'd be more than good enough.
as long as you can pass the client cert at cmd line, and get the
tea login
working -- and, eventually (in milestone 0.9.0?)tea clone
, etc.&/or perhaps parsing already-existing, host-specific section in
~/.gitconfig
,or a similar
tea
-specificapp.ini
with similar config ...heh, no worries. at this stage, randomized AND completely sacrificial ;-)
Ideally we don't introduce another config location for this stuff, so the NSS aproach would be best in that regard.
Either way, support needs to be added in 2 components:
ssl cert submission mechanism missing for tea?to support authentication with TLS client certificates