Running libgit2sharp on Ubuntu 22.04 Arm64 got `LibGit2Sharp.LibGit2SharpException: the SSL certificate is invalid`
BiDuang opened this issue · comments
Reproduction steps
Try to clone a repository on Ubuntu Arm64, then I got this exception.
Expected behavior
On Windows, it works fine: a repository has been cloned.
Actual behavior
Exception:
LibGit2Sharp.LibGit2SharpException: the SSL certificate is invalid
at LibGit2Sharp.Core.Ensure.HandleError(Int32 result) in /_/LibGit2Sharp/Core/Ensure.cs:line 154
at LibGit2Sharp.Core.Ensure.ZeroResult(Int32 result) in /_/LibGit2Sharp/Core/Ensure.cs:line 172
at LibGit2Sharp.Core.Proxy.git_clone(String url, String workdir, GitCloneOptions& opts) in /_/LibGit2Sharp/Core/Proxy.cs:line 279
at LibGit2Sharp.Repository.Clone(String sourceUrl, String workdirPath, CloneOptions options) in /_/LibGit2Sharp/Repository.cs:line 793
Version of LibGit2Sharp (release number or SHA1)
0.28.0 and 0.29.0 (latest)
Operating system(s) tested; .NET runtime tested
Ubuntu 22.04 LTS Arm64, .NET8.0
And I have already checked my system's ca-certificates, it's up-to-date.
I don't have access to ARM64 hardware, so it's going to be tricky to figure out why this might be happening.
Is there a version of LibGit2Sharp that did work for you, or is this the first time you've tried it?
I don't have access to ARM64 hardware, so it's going to be tricky to figure out why this might be happening.
I've also tested it on Ubuntu-x64, and it's not working there either. But add an env var could help this:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Is there a version of LibGit2Sharp that did work for you, or is this the first time you've tried it?
I'm not sure if there is a version that suits me. Is it possible for LibGit2Sharp to add a feature allowing users to use their local certificates?
What repo are you trying to clone? Does it not have a certificate that should be trusted?
Is it possible for LibGit2Sharp to add a feature allowing users to use their local certificates?
If you look at the FetchOptions in the CloneOptions, you'll see that there is a CertificateCheck delegate, which lets you control certificate validation.
What repo are you trying to clone? Does it not have a certificate that should be trusted?
The repo is https://git.cinogama.net/cinogamaproject/woolang
It's validate, subject=CN = git.cinogama.net issuer=C = CN, O = "TrustAsia Technologies, Inc.", CN = TrustAsia RSA DV TLS CA G2
If you look at the
FetchOptionsin theCloneOptions, you'll see that there is aCertificateCheckdelegate, which lets you control certificate validation.
Okay, I will check it, thanks!
I just tried cloning that repo on Windows and Ubuntu 22.04 via WSL (x64 for both) and everything is working fine for me.
So it might be a problem with my configuration...
var repoGitPath = Repository.Clone("https://git.cinogama.net/cinogamaproject/woolang.git", CachePath,
new CloneOptions
{
BranchName = "release",
Checkout = true,
RecurseSubmodules = true,
OnProgress = ProgressEvent
});Then this might be a problem with the ARM version of the system.
So it might be a problem with my configuration...
var repoGitPath = Repository.Clone("https://git.cinogama.net/cinogamaproject/woolang.git", CachePath, new CloneOptions { BranchName = "release", Checkout = true, RecurseSubmodules = true, OnProgress = ProgressEvent });
Go ahead and try the FetchOptions.CertificateCheck that I mentioned. That should let you return true and make the https connection even if the system doesn't trust the certificate for whatever reason.
So it might be a problem with my configuration...
var repoGitPath = Repository.Clone("https://git.cinogama.net/cinogamaproject/woolang.git", CachePath, new CloneOptions { BranchName = "release", Checkout = true, RecurseSubmodules = true, OnProgress = ProgressEvent });Go ahead and try the
FetchOptions.CertificateCheckthat I mentioned. That should let you returntrueand make the https connection even if the system doesn't trust the certificate for whatever reason.
var repoGitPath = Repository.Clone("https://git.cinogama.net/cinogamaproject/woolang.git", CachePath,
new CloneOptions
{
BranchName = "release",
Checkout = true,
RecurseSubmodules = true,
OnProgress = ProgressEvent,
FetchOptions = new FetchOptions
{
CertificateCheck = (_, _, _) => true
}
});But if I skipped the local SSL certs check, would doing this lead to security issues?
But if I skipped the local SSL certs check, would doing this lead to security issues?
That's not really a question I can answer. It depends entirely on your use case. If you're only ever cloning that one repo, for example, and you trust the certificate, then it doesn't really matter if the system you're running it on can validate it or not.
On the other hand, if you're writing a tool that others can use to connect to any arbitrary URL, then you're losing any sort of verification that the user is talking to the site they think they are connecting to.
The certificate check handler does pass in the certificate in question, so you could always write logic that looks at the certificate and validates it against a list certificates manually maintained by you.
Have you tried cloning any other repos? For example, what about a repo from GitHub? I'd be curious to see if you have the same problem with other sites.
Have you tried cloning any other repos? For example, what about a repo from GitHub? I'd be curious to see if you have the same problem with other sites.
Well, it should be system's problem:
