Issue #4688: 403 Forbidden error when cloning - fedora-infrastructure

fedora-infrastructure

#4688 403 Forbidden error when cloning

Closed: Fixed None Opened 9 years ago by nocnokneo.

= bug description = I recently started getting 403 forbidden errors when trying to clone http://pkgs.fedoraproject.org/git/*.git/ repositories anonymously: $ http_proxy=http://http-proxy.health.ge.com:88 GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://pkgs.fedoraproject.org/git/qt5-qtbase.git trace: built-in: git 'clone' 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git' Cloning into 'qt5-qtbase'... trace: run_command: 'git-remote-http' 'origin' 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git' * Couldn't find host pkgs.fedoraproject.org in the .netrc file; using defaults * About to connect() to proxy http-proxy.health.ge.com port 88 (#0) * Trying 3.20.109.241... * Connected to http-proxy.health.ge.com (3.20.109.241) port 88 (#0) > GET http://pkgs.fedoraproject.org/git/qt5-qtbase.git/info/refs?service=git-upload-pack HTTP/1.1 User-Agent: git/1.8.3.1 Host: pkgs.fedoraproject.org Accept: */* Accept-Encoding: gzip Proxy-Connection: Keep-Alive Pragma: no-cache < HTTP/1.1 403 Forbidden < Date: Tue, 17 Mar 2015 13:32:40 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips < Content-Length: 230 < Content-Type: text/html; charset=iso-8859-1 < Proxy-Connection: Keep-Alive < Connection: Keep-Alive < Set-Cookie: BC_HA_0cf474d902f19dcd_717A1D67=B4D68F; Domain=.fedoraproject.org; expires=Tue, 17-Mar-15 14:02:40 GMT; Path=/ < * Connection #0 to host http-proxy.health.ge.com left intact fatal: unable to access 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git/': The requested URL returned error: 403 As you can see, I'm behind an HTTP proxy, but this has worked fine up until recently (last week sometime was when I first noticed the problem). whatismpyip.com tells me that my outside-facing IP address is 198.169.188.229. = bug analysis = = fix recommendation =

puiterwijk commented 9 years ago

Hi,

This is a problem with the http checkout url.
Could you please try using the git version?

In the meantime, I will try to see what I can do to fix https checkout.

nocnokneo commented 9 years ago

Unfortunately, I am only allowed to make outbound connections via our HTTP proxy server so the HTTP (and HTTPS) protocol is the only option for me. Did you mean to say "fix the HTTP checkout"? You're right that HTTPS is also not working, but having HTTPS is a much lower priority for me. But in case it helps here's the relevant debug output messages I get when trying to clone over HTTPS: {{{ $ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://pkgs.fedoraproject.org/git/qt5-qtwebsockets.git trace: built-in: git 'clone' 'https://pkgs.fedoraproject.org/git/qt5-qtwebsockets.git' Cloning into 'qt5-qtwebsockets'... trace: run_command: 'git-remote-https' 'origin' 'https://pkgs.fedoraproject.org/git/qt5-qtwebsockets.git' * Couldn't find host pkgs.fedoraproject.org in the .netrc file; using defaults * About to connect() to proxy http-proxy.health.ge.com port 88 (#0) * Trying 3.20.109.241... * Connected to http-proxy.health.ge.com (3.20.109.241) port 88 (#0) * Establish HTTP proxy tunnel to pkgs.fedoraproject.org:443 > CONNECT pkgs.fedoraproject.org:443 HTTP/1.1 Host: pkgs.fedoraproject.org:443 User-Agent: git/1.8.3.1 Proxy-Connection: Keep-Alive Pragma: no-cache < HTTP/1.1 200 Connection Established < Proxy-Agent: Zscaler/5.0 < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: E=buildsys@fedoraproject.org,CN=pkgs.fedoraproject.org,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US * start date: Apr 15 18:43:41 2014 GMT * expire date: Apr 12 18:43:41 2024 GMT * common name: pkgs.fedoraproject.org * issuer: E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 fatal: unable to access 'https://pkgs.fedoraproject.org/git/qt5-qtwebsockets.git/': Peer's certificate issuer has been marked as not trusted by the user. }}}

nocnokneo commented 9 years ago

PS - Sorry for the garbled wiki formatting in the ticket description. Here's the debug output with proper wiki preformatting: {{{ $ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://pkgs.fedoraproject.org/git/qt5-qtbase.git trace: built-in: git 'clone' 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git' Cloning into 'qt5-qtbase'... trace: run_command: 'git-remote-http' 'origin' 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git' * Couldn't find host pkgs.fedoraproject.org in the .netrc file; using defaults * About to connect() to proxy http-proxy.health.ge.com port 88 (#0) * Trying 3.20.109.241... * Connected to http-proxy.health.ge.com (3.20.109.241) port 88 (#0) > GET http://pkgs.fedoraproject.org/git/qt5-qtbase.git/info/refs?service=git-upload-pack HTTP/1.1 User-Agent: git/1.8.3.1 Host: pkgs.fedoraproject.org Accept: */* Accept-Encoding: gzip Proxy-Connection: Keep-Alive Pragma: no-cache < HTTP/1.1 403 Forbidden < Date: Tue, 17 Mar 2015 14:06:30 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips < Content-Length: 230 < Content-Type: text/html; charset=iso-8859-1 < Proxy-Connection: Keep-Alive < Connection: Keep-Alive < Set-Cookie: BC_HA_0cf474d902f19dcd_717A1D67=B525B3; Domain=.fedoraproject.org; expires=Tue, 17-Mar-15 14:36:30 GMT; Path=/ < * Connection #0 to host http-proxy.health.ge.com left intact fatal: unable to access 'http://pkgs.fedoraproject.org/git/qt5-qtbase.git/': The requested URL returned error: 403 }}}

nocnokneo commented 9 years ago

Any update on this? Anything I can do to help?

kevin commented 9 years ago

It's on our radar, so please be patient and we will get to it when we can...

nocnokneo commented 8 years ago

I think the priority of this issue should be raised to critical. A large percentage Fedora contributors who work in a corporate environment are behind an HTTP proxy which leaves them with zero access to the git repositories due to this issue. Compared to the other major issues that are open right now, this issue seems like it should be a higher priority.

kevin commented 8 years ago

Both http and https git clones should now work.

Please let us know if you see any additional problems.

nocnokneo commented 8 years ago

Thanks, Kevin! Works for me.