Gitblit: Unknown SSL protocol error in connection to mydomain:443

StackOverflow https://stackoverflow.com/questions/17330631

Question

I'm hosting a gitblit server on EC2. I've made my own Certificates with Start SSL and I'm able to:

  1. access the gitblit site via https (browser)
  2. clone from localhost (the server itself)

When I'm trying to clone the repository to my pc from the terminal using the mac os git client I get

export $GIT_CURL_VERBOSE=1
git clone https://user@mydomain.com/git/testing123.git
cloning into 'testing123'...
* Couldn't find host mydomain.com in the .netrc file; using defaults
* About to connect() to mydomain.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* Connected to mydomain.com (xxx.xxx.xxx.xxx) port 443 (#0)
* Connected to mydomain.com (xxx.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* Unknown SSL protocol error in connection to mydomain.com:443 
* Closing connection #0
error: Unknown SSL protocol error in connection to mydomain.com:443  while accessing https://user@mydomain.com/git/testing123.git/info/refs
fatal: HTTP request failed

Using openssl I got

OpenSSL> s_client -tls1_2 -connect mydomain.com:443
CONNECTED(00000003)
140735107039708:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1372280840
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
error in s_client

Since I had to create my own keystore because my server does not need to have x11, I stored

serverKeyStore.jks

  • private key for mydomain
  • mydomain class 1 primary intermediate cert
  • startcom CA
  • startcom class 1 primary intermadiate CA

serverTrustStore.jks

  • startcom CA
  • startcom class 1 primary client CA
  • startcom class 1 primary server CA

I don't know if this is correct or not. If I had to store myself into the stores to make this work, trust me, I would. I googled so hard that I almost hit the end of the interwebs (and we all know that there's a lot of goatse there x_X). So I don't know what else to do.

Versions:

git 1.7.11.1
OpenSSL 1.0.1e 11 Feb 2013

curl 7.26.0 (x86_64-apple-darwin11.3.0) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Was it helpful?

Solution

Try comment out this line

#server.certificateAlias = localhost

or change it to like below

server.certificateAlias = "Your domain cert alias in key store"

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top