Debian9のgitで gnutls_handshake() failed が出てcloneできないときの対処法

自前でホストしてるgitlabのレポジトリをcloneしようとしたら,
“gnutls_handshake() failed: Public key signature verification has failed.” とか出てcloneできなかったときのメモ。

原因

ここによると gnutls の挙動の問題らしい。

特にproxy配下で使おうとしてるわけではないのだが,オレオレ証明書のhttps接続がよろしくないのだろうか。。

対策

gitをopensslでビルドし直せば治るっぽいので,
gitのソースパッケージとlibcurl4-openssl-devを落としてきて自前ビルドする。


xxxx@xxxx:~/src/git-oepnssl$ apt source git
Reading package lists... Done
NOTICE: 'git' packaging is maintained in the 'Git' version control system at:
https://repo.or.cz/r/git/debian.git/
Please use:
git clone https://repo.or.cz/r/git/debian.git/
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 4,729 kB of source archives.
Get:1 http://security.debian.org stretch/updates/main git 1:2.11.0-3+deb9u2 (dsc) [2,901 B]
Get:2 http://security.debian.org stretch/updates/main git 1:2.11.0-3+deb9u2 (tar) [4,198 kB]
Get:3 http://security.debian.org stretch/updates/main git 1:2.11.0-3+deb9u2 (diff) [528 kB]
Fetched 4,729 kB in 0s (5,288 kB/s)
dpkg-source: info: extracting git in git-2.11.0
dpkg-source: info: unpacking git_2.11.0.orig.tar.xz
dpkg-source: info: unpacking git_2.11.0-3+deb9u2.debian.tar.xz
dpkg-source: info: applying 0001-pre-rebase-hook-capture-documentation-in-a-here-docum.diff
dpkg-source: info: applying Normalize-generated-asciidoc-timestamps-with-SOURCE_D.diff
dpkg-source: info: applying git-gui-Sort-entries-in-optimized-tclIndex.diff
dpkg-source: info: applying xdiff-Do-not-enable-XDL_FAST_HASH-by-default.diff
dpkg-source: info: applying shell-disallow-repo-names-beginning-with-dash.patch
dpkg-source: info: applying connect-reject-ssh-hostname-that-begins-with-a-dash.diff
dpkg-source: info: applying t5813-add-test-for-hostname-starting-with-dash.diff
dpkg-source: info: applying connect-factor-out-looks-like-command-line-option-che.diff
dpkg-source: info: applying connect-reject-dashed-arguments-for-proxy-commands.diff
dpkg-source: info: applying connect-reject-paths-that-look-like-command-line-opti.diff
dpkg-source: info: applying cvsserver-move-safe_pipe_capture-to-the-main-package.diff
dpkg-source: info: applying cvsserver-use-safe_pipe_capture-instead-of-backticks.diff
dpkg-source: info: applying cvsserver-use-safe_pipe_capture-for-constant-commands.diff
dpkg-source: info: applying shell-drop-git-cvsserver-support-by-default.diff
dpkg-source: info: applying archimport-use-safe_pipe_capture-for-user-input.diff
dpkg-source: info: applying cvsimport-shell-quote-variable-used-in-backticks.diff

xxxx@xxxx:~/src/git-oepnssl$ sudo apt build-dep git
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
libcurl4-openssl-dev
The following NEW packages will be installed:
libcurl4-gnutls-dev
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B/371 kB of archives.
After this operation, 6,144 B disk space will be freed.
Do you want to continue? [Y/n] yes
(Reading database ... 419021 files and directories currently installed.)
Removing libcurl4-openssl-dev:amd64 (7.52.1-5) ...
Selecting previously unselected package libcurl4-gnutls-dev:amd64.
(Reading database ... 419000 files and directories currently installed.)
Preparing to unpack .../libcurl4-gnutls-dev_7.52.1-5_amd64.deb ...
Unpacking libcurl4-gnutls-dev:amd64 (7.52.1-5) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libcurl4-gnutls-dev:amd64 (7.52.1-5) ...

xxxx@xxxx:~/src/git-oepnssl$ sudo apt install libcurl4-openssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
libcurl4-doc libcurl3-dbg libidn11-dev libkrb5-dev librtmp-dev libssh2-1-dev libssl1.0-dev | libssl-dev
The following packages will be REMOVED:
libcurl4-gnutls-dev
The following NEW packages will be installed:
libcurl4-openssl-dev
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B/373 kB of archives.
After this operation, 6,144 B of additional disk space will be used.
Do you want to continue? [Y/n] yes
(Reading database ... 419024 files and directories currently installed.)
Removing libcurl4-gnutls-dev:amd64 (7.52.1-5) ...
Selecting previously unselected package libcurl4-openssl-dev:amd64.
(Reading database ... 419000 files and directories currently installed.)
Preparing to unpack .../libcurl4-openssl-dev_7.52.1-5_amd64.deb ...
Unpacking libcurl4-openssl-dev:amd64 (7.52.1-5) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libcurl4-openssl-dev:amd64 (7.52.1-5) ...

gitソースパッケージの中の debian/control を編集して,
libcurl4-gnutls-dev となっている箇所を libcurl4-openssl-dev に置き換える。


xxxx@xxxx:~/src/git-oepnssl$ head git-2.11.0/debian/control
Source: git
Section: vcs
Priority: optional
Maintainer: Gerrit Pape pape@smarden.org
Uploaders: Jonathan Nieder jrnieder@gmail.com, Anders Kaseorg andersk@mit.edu
Build-Depends: libz-dev, libpcre3-dev, gettext,
libcurl4-gnutls-dev (<- ここを libcurl4-openssl-dev に書き換え), libexpat1-dev, subversion, libsvn-perl, libyaml-perl, tcl, libhttp-date-perl | libtime-modules-perl,

git-2.11.0 に cd してビルド
(私のしょぼいi5なx220でやったら10分くらいかかってしまった。。。)


xxxx@xxxx:~/src/git-oepnssl/git-2.11.0$ dpkg-buildpackage -rfakeroot -b -us -uc -j4

ビルドに成功すると,*.deb が出来上がるので普通にdpkgでインストール。

xxxx@xxxx:~/src/git-oepnssl$ sudo dpkg -i git_2.11.0-3+deb9u2_amd64.deb

とりあえずこれで無事にgit clone できるようになった。
しかし,もともとgithubでは問題ないので,セルフホストしてるgitlabの証明書が悪いのかなぁ。

Leave a Reply

Your email address will not be published.