Fossil Forum

fossil clone without filename with self signed cert causes sqlite_error
Login

fossil clone without filename with self signed cert causes sqlite_error

Chronological

fossil clone without filename with self signed cert causes sqlite_error

(1) By sean (jungleboogie) on 2021-08-18 16:51:45 [source]

Hi,

fossil clone doesn't need the filename argument for when I fossil clone https://pikchr.org, but in the case below, I get a sqlite_error. Perhaps this is because I'm using a self-signed cert?

My preplobby directory is created, but it's empty.

$ fossil clone https://10.7.6.54/preplobby
Round-trips: 2   Artifacts sent: 0  received: 14
Clone done, wire bytes sent: 531  received: 6538  ip: 10.7.6.54
Rebuilding repository meta-data...
  100.0% complete...
Extra delta compression...
Vacuuming the database...
project-id: 21b60158ab987a98be7f273408ae6ae378fffe89
server-id:  46f170fd03940621b7707eab03c81f53b78f6293
admin-user: user (password is "Vir9MadSt2")
opening the new ./preplobby.fossil repository in directory ./preplobby...
Autosync:  https://10.7.6.54/preplobby
Unable to verify SSL cert from 10.7.6.54
  subject: C = US, ST = Nevada, L = Las Vegas, O = user, OU = Provisional CA, CN = localhost
  issuer:  C = US, ST = Nevada, L = Las Vegas, O = user, OU = Provisional CA, CN = localhost
  sha256:  e7ad5c63ebe50b74d196cc37fc123755bc1621c8031127fa5ba3194b3906e0ff
accept this cert and continue (y/N)? y
remember this exception (y/N)? y
SQLITE_ERROR(1): no such table: global_config in "REPLACE INTO global_config(name,value) VALUES('cert:10.7.6.54','e7ad5c63ebe50b74d196cc37fc123755bc1621c8031127fa5ba3194b3906e0ff')"
Database error: no such table: global_config: {REPLACE INTO global_config(name,value) VALUES('cert:10.7.6.54','e7ad5c63ebe50b74d196cc37fc123755bc1621c8031127fa5ba3194b3906e0ff')}

Using Fossil trunk: 

$ fossil version -v
This is fossil version 2.17 [5bb4f12a8f] 2021-08-17 19:44:31 UTC
Compiled on Aug 18 2021 09:34:03 using clang-11.1.0  (64-bit)
Schema version 2015-01-24
Detected memory page size is 4096 bytes
zlib 1.2.11, loaded 1.2.11
hardened-SHA1 by Marc Stevens and Dan Shumow
SSL (LibreSSL 3.4.0)
libfuse 2.6, loaded unknown

On OpenBSD amd64 -current.

(2) By Stephan Beal (stephan) on 2021-08-18 17:47:49 in reply to 1 [link] [source]

SQLITE_ERROR(1): no such table: global_config in "REPLACE INTO global_config(name,value) ...

Not sure this will help, but try setting some global config option first:

fossil config set --global web-browser /usr/bin/true
fossil config unset --global web-browser

That "should" ensure that the config db is in place. If your clone still fails, we then know that the config is in place but is probably not being opened at the right time.

subject: C = US, ST = Nevada, L = Las Vegas, O = user, OU = Provisional CA, CN = localhost

My home town.

(3) By sean (jungleboogie) on 2021-08-18 18:07:27 in reply to 2 [link] [source]

Not sure this will help, but try setting some global config option first:

fossil config set --global web-browser /usr/bin/true

$ fossil config set --global web-browser /usr/bin/true
use --repository or -R to specify the repository database

This doesn't return an error: fossil set --global web-browser /usr/bin/true

But unset doesn't work:

$ fossil unset --global web-browser /usr/bin/true
Usage: fossil unset PROPERTY ?-global?

At any rate, I still get the error when cloning. I'm only guessing the self-signed cert is causing the problems.

My home town.

Yep! I saw that on your homepage a couple years back. I've been here longer than I thought I would be living in the desert. The mountains are very nice to look and explore, though.

(4) By Martin Gagnon (mgagnon) on 2021-08-18 18:19:21 in reply to 3 [link] [source]

But unset doesn't work:

The unset command doesn’t have any argument after the property name. (Remove /usr/bin/true)

(5) By Stephan Beal (stephan) on 2021-08-18 18:25:50 in reply to 3 [link] [source]

But unset doesn't work:

Copy/paste error on my part. Martin's response is correct.

At any rate, I still get the error when cloning. I'm only guessing the self-signed cert is causing the problems.

Maybe, but possibly only indirectly. It's complaining that it can't find the table from the global config (which we know is there because your set worked). i'll poke at it but am unfamiliar with that area of the code so make no promises.

(6) By Stephan Beal (stephan) on 2021-08-18 19:36:52 in reply to 1 [link] [source]

Unable to verify SSL cert from ...

Sean, can you please try adding, directly above this line:

src:/file?ci=trunk&name=src/http_ssl.c&ln=402

This one line:

db_open_config(0, 0);

???

So that block would then look like:

      if( cReply=='y' || cReply=='Y') {
        db_open_config(0, 0); /* THIS IS NEW */
        ssl_remember_certificate_exception(pUrlData, zHash);
      }

i think that's what needs to happen but am not familiar enough with SSL handling to come up with a local reproduction case.

(7) By sean (jungleboogie) on 2021-08-18 21:37:09 in reply to 6 [link] [source]

i think that's what needs to happen but am not familiar enough with SSL handling to come up with a local reproduction case.

Good news!

The code compiles and I'm able to clone the repos.

One peculiar thing is, for each repo I cloned, I needed to accept the same self-signed cert.

I'm fine with you holding off with committing this change so that others can review and see if there's a different approach to take. I was able to clone my repos and that's what I wanted to do today!

(8) By Stephan Beal (stephan) on 2021-08-18 21:43:55 in reply to 7 [link] [source]

The code compiles and I'm able to clone the repos.

:-D

One peculiar thing is, for each repo I cloned, I needed to accept the same self-signed cert.

Hmmm. i'll take a look at that later on but may have to defer that one to someone who's more familiar with the cert handling, namely Richard or Warren.

(9) By Warren Young (wyoung) on 2021-08-18 21:48:58 in reply to 7 [link] [source]

You can save yourself a lot of hassle with self-signed certs if you sign them with a self-created root CA cert with a long lifetime (traditionally 3650 days) that you import into the local CA root trust store. This way, every time you create another cert signed by that root, it's automatically trusted.

When you create the root CA cert, you mark it as only allowed to sign other certs. That is, you deliberately do not give it the ability to do TLS authentication, IPSEC, code signing, S/MIME, etc. When you need such a cert, you sign it with this root cert; the root itself can't act in these roles.

Also, you hide the private half away securely. Only the public half gets inserted into the CA root trust store on each machine you need this to work on.

I have a smart router that does this as part of all the other network geekery it can do, so the private CA root cert lives in only two places: inside that device and in encrypted backups of that device's configuration.

(10) By sean (jungleboogie) on 2021-08-19 15:35:34 in reply to 9 [link] [source]

You can save yourself a lot of hassle with self-signed certs if you sign them with a self-created root CA cert with a long lifetime (traditionally 3650 days) that you import into the local CA root trust store.

Good tip indeed. I setup fossil on windows with stunnel and self sign cert to follow the fossil docs about this setup.

It was no problem setting up or browsing my repos locally, which has been working for at least half a year. I think this was the first time I attempted a clone since the setup.