Enabling HTTPS broke my Gitea server #363

New Issue

Closed

opened 2025-11-02 03:20:17 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 03:20:17 -06:00

Owner

Copy Link

Originally created by @donbecker on GitHub (Feb 18, 2017).

• Gitea version (or commit ref): 1.0.1, windows-4.0-amd64
• Git version: 2.10.2
• Operating system: Win Server 2016
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

e551d9c4bb/gogs.log

Description

-attempted to push from my local workstation to gitea repo for first time via HTTP (I'm using this on a local intranet server).
-this failed even though I cleared all other ssh keys, and entered valid creds for Gitea
-attempted to configure Gitea for HTTPS: https://gogs.io/docs/intro/faqs#how-do-i-set-up-https%3F
-navigating to Gitea I now get a self-signed cert warning, accepting it I get a 500 internal server error.
-attempted to remove HTTPS configuration and revert to previous config, restarted service, I still get a 500 Internal Server error.

Originally created by @donbecker on GitHub (Feb 18, 2017). - Gitea version (or commit ref): 1.0.1, windows-4.0-amd64 - Git version: 2.10.2 - Operating system: Win Server 2016 - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: https://gist.githubusercontent.com/donbecker/e07fd5b6ee4c72b8961dec3babbe1828/raw/e551d9c4bb6dc7e23f8713f938057e9139d5d0f9/gogs.log ## Description -attempted to push from my local workstation to gitea repo for first time via HTTP (I'm using this on a local intranet server). -this failed even though I cleared all other ssh keys, and entered valid creds for Gitea -attempted to configure Gitea for HTTPS: https://gogs.io/docs/intro/faqs#how-do-i-set-up-https%3F -navigating to Gitea I now get a self-signed cert warning, accepting it I get a 500 internal server error. -attempted to remove HTTPS configuration and revert to previous config, restarted service, I still get a 500 Internal Server error.

GiteaMirror added the type/question label 2025-11-02 03:20:17 -06:00

GiteaMirror closed this issue 2025-11-02 03:20:17 -06:00

GiteaMirror commented 2025-11-02 03:20:17 -06:00

Author

Owner

Copy Link

@donbecker commented on GitHub (Feb 18, 2017):

Strangely enough, the logs don't show the 500 error.

@donbecker commented on GitHub (Feb 18, 2017): Strangely enough, the logs don't show the 500 error.

GiteaMirror commented 2025-11-02 03:20:18 -06:00

Author

Owner

Copy Link

@donbecker commented on GitHub (Feb 18, 2017):

More testing by completely deleting the gitea folder and reinstalling, it seems that almost any change to my config file will cause the server to return 500's upon restarting the service. I've made sure that my gitea directory and all files are owned by the user that the service is running as.

@donbecker commented on GitHub (Feb 18, 2017): More testing by completely deleting the gitea folder and reinstalling, it seems that almost any change to my config file will cause the server to return 500's upon restarting the service. I've made sure that my gitea directory and all files are owned by the user that the service is running as.

GiteaMirror commented 2025-11-02 03:20:18 -06:00

Author

Owner

Copy Link

@tboerger commented on GitHub (Feb 18, 2017):

Have you checked the permissions of the certs? Have you verified that the path to your certs is correct? Please show the app.ini.

@tboerger commented on GitHub (Feb 18, 2017): Have you checked the permissions of the certs? Have you verified that the path to your certs is correct? Please show the app.ini.

GiteaMirror commented 2025-11-02 03:20:18 -06:00

Author

Owner

Copy Link

@donbecker commented on GitHub (Feb 18, 2017):

Hi, I now have Gitea running on Win Server 2016 with a self-signed cert.

• log into server as Gitea service account

• generate self signed certs with Gitea.exe:
  Powershell as Admin> cd C:\gitea
  Powershell as Admin> .\gitea.exe cert -ca=true -duration=8760h0m0s -host=(server FQDN)
  -move certs (key.pem & cert.pem) from c:\gitea to c:\gitea\custom\https

• Fix Folder & Objects owner:
  c:\gitea, right click, security tab, click Advanced
  owner, change -> (domain service account)
  check "replace owner..."
  check "replace all child..."
  click apply

• Fix Folder & Objects permissions:
  rightclick -> properties -> security -> edit
  CREATOR OWNER: all unchecked except "allow:special permissions", which is checked and greyed out
  SYSTEM: all deny unchecked, all allow checked and greyed out, except "allow:special permissions" which is unchecked
  svcgitea(domain service account): all allow checked, except "allow:special permissions", which is checked and greyed out
  Administrators(servername\Administrators): all deny unchecked, all allow checked and greyed out, except "allow:special permissions" which is unchecked
  Users(servername\Users): all deny unchecked, all allow checked and greyed out, except "allow:write", "allow:full control" and "allow:modify" which are unchecked

• Update app.ini file [server] section:

[server]
SSH_DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = https://(serverFQDN):3000/
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = false
PROTOCOL = https
CERT_FILE = C:/gitea/custom/https/cert.pem
KEY_FILE = C:/gitea/custom/https/key.pem

I am now able to access Gitea server over HTTPS (accepting the self signed certificate).

@donbecker commented on GitHub (Feb 18, 2017): Hi, I now have Gitea running on Win Server 2016 with a self-signed cert. * log into server as Gitea service account * generate self signed certs with Gitea.exe: Powershell as Admin> cd C:\gitea Powershell as Admin> .\gitea.exe cert -ca=true -duration=8760h0m0s -host=(server FQDN) -move certs (key.pem & cert.pem) from c:\gitea to c:\gitea\custom\https * Fix Folder & Objects owner: c:\gitea, right click, security tab, click Advanced owner, change -> (domain service account) check "replace owner..." check "replace all child..." click apply * Fix Folder & Objects permissions: rightclick -> properties -> security -> edit CREATOR OWNER: all unchecked except "allow:special permissions", which is checked and greyed out SYSTEM: all deny unchecked, all allow checked and greyed out, except "allow:special permissions" which is unchecked svcgitea(domain service account): all allow checked, except "allow:special permissions", which is checked and greyed out Administrators(servername\Administrators): all deny unchecked, all allow checked and greyed out, except "allow:special permissions" which is unchecked Users(servername\Users): all deny unchecked, all allow checked and greyed out, except "allow:write", "allow:full control" and "allow:modify" which are unchecked * Update app.ini file [server] section: [server] SSH_DOMAIN = localhost HTTP_PORT = 3000 ROOT_URL = https://(serverFQDN):3000/ DISABLE_SSH = false SSH_PORT = 22 OFFLINE_MODE = false PROTOCOL = https CERT_FILE = C:/gitea/custom/https/cert.pem KEY_FILE = C:/gitea/custom/https/key.pem I am now able to access Gitea server over HTTPS (accepting the self signed certificate).

GiteaMirror commented 2025-11-02 03:20:18 -06:00

Author

Owner

Copy Link

@ghost commented on GitHub (Mar 29, 2018):

I think I've got the same/ similar question
my config is

[server]
APP_DATA_PATH    = /data/gitea
SSH_DOMAIN       = foo.com
HTTP_PORT        = 3000
ROOT_URL         = https://foo.com:3000
DISABLE_SSH      = false
SSH_PORT         = 22
DOMAIN           = foo.com
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/gitea/lfs
LFS_JWT_SECRET   = ...
OFFLINE_MODE     = false
PROTOCOL = https
CERT_FILE = custom/https/cert.pem
KEY_FILE = custom/https/key.pem
ENABLE_GZIP = true


[database]
PATH     = /data/gitea/gitea.db
DB_TYPE  = sqlite3
HOST     = localhost:3306
NAME     = gitea
USER     = root
PASSWD   =
SSL_MODE = disable

[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER        = file
COOKIE_SECURE = true

setting it to

ROOT_URL         = http://foo.com:3000
#PROTOCOL = https
#CERT_FILE = custom/https/cert.pem
#KEY_FILE = custom/https/key.pem
COOKIE_SECURE = false

works perfectly fine

I have got a cert.pem and key.pem file generated using openssl in the respective folders yet I get foo.com has refused the connection in chrome and safari tells me it can't create a secure connection... (to https://foo.com:3000)

on docker-compose up I get

server_1  | chown: unknown user/group git:git
server_1  | 2018/03/29 23:25:43 [T] AppPath: /app/gitea/gitea
server_1  | 2018/03/29 23:25:43 [T] AppWorkPath: /app/gitea
server_1  | 2018/03/29 23:25:43 [T] Custom path: /data/gitea
server_1  | 2018/03/29 23:25:43 [T] Log path: /data/gitea/log
server_1  | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

although this is roughly what I get without https, the ca-certificate seems to be a alpine linux thing

would appreciate any help! thanks

@ghost commented on GitHub (Mar 29, 2018): I think I've got the same/ similar question my config is ``` [server] APP_DATA_PATH = /data/gitea SSH_DOMAIN = foo.com HTTP_PORT = 3000 ROOT_URL = https://foo.com:3000 DISABLE_SSH = false SSH_PORT = 22 DOMAIN = foo.com LFS_START_SERVER = true LFS_CONTENT_PATH = /data/gitea/lfs LFS_JWT_SECRET = ... OFFLINE_MODE = false PROTOCOL = https CERT_FILE = custom/https/cert.pem KEY_FILE = custom/https/key.pem ENABLE_GZIP = true [database] PATH = /data/gitea/gitea.db DB_TYPE = sqlite3 HOST = localhost:3306 NAME = gitea USER = root PASSWD = SSL_MODE = disable [session] PROVIDER_CONFIG = /data/gitea/sessions PROVIDER = file COOKIE_SECURE = true ``` setting it to ``` ROOT_URL = http://foo.com:3000 #PROTOCOL = https #CERT_FILE = custom/https/cert.pem #KEY_FILE = custom/https/key.pem COOKIE_SECURE = false ``` works perfectly fine I have got a cert.pem and key.pem file generated using openssl in the respective folders yet I get `foo.com has refused the connection` in chrome and safari tells me it can't create a secure connection... (to https://foo.com:3000) on `docker-compose up` I get ``` server_1 | chown: unknown user/group git:git server_1 | 2018/03/29 23:25:43 [T] AppPath: /app/gitea/gitea server_1 | 2018/03/29 23:25:43 [T] AppWorkPath: /app/gitea server_1 | 2018/03/29 23:25:43 [T] Custom path: /data/gitea server_1 | 2018/03/29 23:25:43 [T] Log path: /data/gitea/log server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping ``` although this is roughly what I get without https, the ca-certificate seems to be a alpine linux thing would appreciate any help! thanks

GiteaMirror commented 2025-11-02 03:20:19 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Mar 30, 2018):

Is it self-signed certificate or signed with your custom CA certificate?

@lafriks commented on GitHub (Mar 30, 2018): Is it self-signed certificate or signed with your custom CA certificate?

GiteaMirror commented 2025-11-02 03:20:19 -06:00

Author

Owner

Copy Link

@ghost commented on GitHub (Mar 30, 2018):

It‘s self signed.
The thing that concerns me is that my browsers do not even ask like „do you want to trust this...“
And docker-compose up does not report „listening on...“ which led me to believe the Server might not be starting up properly and my config could be broken.
On the other hand everything seems pretty straight forward so not sure what is going on.

edited to add: I used openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out cert.pem on my server where I deploy the docker image

and more info from the startup in case that helps: (I just used weird names, just first wanted to test things out)
the unknown user error, I think it comes from the fact that the user where the /gitea folder is located is not named git but it works fine for the non https case anyhow so I've not yet further gone down that road

Creating network "gitea_gitea" with the default driver
Creating gitea_server_1
Attaching to gitea_server_1
server_1  | id: unknown user git
server_1  | Mar 30 12:11:17 syslogd started: BusyBox v1.27.2
server_1  | /etc/ssh/sshd_config line 32: Deprecated option UsePrivilegeSeparation
server_1  | Mar 30 12:11:17 sshd[18]: Server listening on :: port 22.
server_1  | Mar 30 12:11:17 sshd[18]: Server listening on 0.0.0.0 port 22.
server_1  | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
server_1  | chown: unknown user/group git:git
server_1  | 2018/03/30 12:11:17 [T] AppPath: /app/gitea/gitea
server_1  | 2018/03/30 12:11:17 [T] AppWorkPath: /app/gitea
server_1  | 2018/03/30 12:11:17 [T] Custom path: /data/gitea
server_1  | 2018/03/30 12:11:17 [T] Log path: /data/gitea/log
server_1  | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

@ghost commented on GitHub (Mar 30, 2018): It‘s self signed. The thing that concerns me is that my browsers do not even ask like „do you want to trust this...“ And docker-compose up does not report „listening on...“ which led me to believe the Server might not be starting up properly and my config could be broken. On the other hand everything seems pretty straight forward so not sure what is going on. edited to add: I used `openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out cert.pem` on my server where I deploy the docker image and more info from the startup in case that helps: (I just used weird names, just first wanted to test things out) the unknown user error, I think it comes from the fact that the user where the /gitea folder is located is not named git but it works fine for the non https case anyhow so I've not yet further gone down that road ``` Creating network "gitea_gitea" with the default driver Creating gitea_server_1 Attaching to gitea_server_1 server_1 | id: unknown user git server_1 | Mar 30 12:11:17 syslogd started: BusyBox v1.27.2 server_1 | /etc/ssh/sshd_config line 32: Deprecated option UsePrivilegeSeparation server_1 | Mar 30 12:11:17 sshd[18]: Server listening on :: port 22. server_1 | Mar 30 12:11:17 sshd[18]: Server listening on 0.0.0.0 port 22. server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping server_1 | chown: unknown user/group git:git server_1 | 2018/03/30 12:11:17 [T] AppPath: /app/gitea/gitea server_1 | 2018/03/30 12:11:17 [T] AppWorkPath: /app/gitea server_1 | 2018/03/30 12:11:17 [T] Custom path: /data/gitea server_1 | 2018/03/30 12:11:17 [T] Log path: /data/gitea/log server_1 | WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping ```

GiteaMirror commented 2025-11-02 03:20:19 -06:00

Author

Owner

Copy Link

@ghost commented on GitHub (Mar 30, 2018):

I also tried a simple golang FileServer with https and self signed certificates and it worked so it does not seem to be an issue with my browser either.

@ghost commented on GitHub (Mar 30, 2018): I also tried a simple golang FileServer with https and self signed certificates and it worked so it does not seem to be an issue with my browser either.

GiteaMirror commented 2025-11-02 03:20:20 -06:00

Author

Owner

Copy Link

@ghost commented on GitHub (Apr 1, 2018):

... anyone? 💬

@ghost commented on GitHub (Apr 1, 2018): ... anyone? 💬

GiteaMirror referenced this issue 2025-11-02 03:54:02 -06:00

Add extra 'Projects' layer #1246

GiteaMirror referenced this issue 2025-11-02 03:54:02 -06:00

Add extra 'Projects' layer #1246

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#363