The webbrowser gui in both directions for each machine works fine, using the https protocol;

Because backup server B is a git client, the same rules apply for SSL verification.
 Backup server B requires:

git config [--global] http.sslVerify false

see http://gitblit.com/setup.html (bottom of page)

mh, but on server B, I didn't have installed git. I just use the blit-server B. so,
where do I have to enter "git config [--global] http.sslVerify false"? 

I either don't use Eclipse/EGit/JGit, as it is described in http://gitblit.com/setup.html
(bottom of page). so which window do I have to open in order to set:

    Window->Preferences->Team->Git->Configuration
    Click the New Entry button

    Key = http.sslVerify
    Value = false

thanks a lot and kind regards,
mh

The simplest thing to do is to install git and use the --global variant of the command.
Otherwise, you will have to manually create the global config file.

Unfortunately, JGit does not have an API which allows me to automatically force the
equivalent of http.sslVerify=false.

now, I installed git 1.8.0 on both servers A, B and entered the command
"git config --global --bool --add http.sslVerify false" in the git-bash. The .gitconfig
file now contains the corresponig lines.

But I still get the following message on server A (the origin gitblit-server):

INFO  Federation PULL_REPOSITORIES request from 192.168.248.130
INFO  4 repository models loaded for $gitblit in 15 msecs
WARN  192.168.248.130:1047 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

And on the pulling server B, I get a lot of messages:

INFO  Pulling federated repository repo.git from 1921682481298443 @ https
://192.168.248.129:8443
ERROR Failed to pull from federated gitblit (1921682481298443 @ https://192.168.
248.129:8443)
org.eclipse.jgit.api.errors.TransportException: https://192.168.248.129:8443/git
/repo.git: cannot open git-upload-pack
        at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
        at com.gitblit.utils.JGitUtils.fetchRepository(JGitUtils.java:251)
        at com.gitblit.utils.JGitUtils.cloneRepository(JGitUtils.java:202)
        at com.gitblit.FederationPullExecutor.pull(FederationPullExecutor.java:2
20)
        at com.gitblit.FederationPullExecutor.run(FederationPullExecutor.java:10
6)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
        at java.util.concurrent.FutureTask.run(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
access$201(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
run(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.jgit.errors.TransportException: https://192.168.248.129:8
443/git/repo.git: cannot open git-upload-pack
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:4
67)
        at org.eclipse.jgit.transport.TransportHttp.openFetch(TransportHttp.java
:276)
        at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:
127)
        at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:113
)
        at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1069)
        at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:128)
        ... 12 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateEx
ception: No subject alternative names present
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown So
urce)
        at java.net.HttpURLConnection.getResponseCode(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unk
nown Source)
        at org.eclipse.jgit.util.HttpSupport.response(HttpSupport.java:167)
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:4
30)
        ... 17 more
Caused by: java.security.cert.CertificateException: No subject alternative names
 present
        at sun.security.util.HostnameChecker.matchIP(Unknown Source)
        at sun.security.util.HostnameChecker.match(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unk
nown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unkno
wn Source)
        ... 32 more
INFO  Next pull of 1921682481298443 @ https://192.168.248.129:8443 scheduled for
 2012-11-23 09:47

kind regards, mh

When you browse to https://192.168.248.129:8443 do you get an SSL error from your browser?
 Have you generated an SSL certificate for 192.168.248.129?  It almost seems like you
don't have a certificate for your hostname.

When I browse to https://192.168.248.129:8443 I get no SSL error from my browser. Everything
works fine on both servers using the browser. I see the gui just as I would use the
non SSL protocol (http) on port 8080. Even pulls and pushes using Git-Extensions, Git
1.8.0 and https on port 8443 from a third pc works fine.

kind regards, mh

The error here looks like hostname verification failure.

On startup, Gitblit GO generates an SSL certificate for common name (CN) "localhost".
 This certificate is used for all incoming https connections, unless a matching one
is found in the keystore.  Firefox, Chrome, IE, etc will all grumble about the self-signed
cert with an invalid cn, but you can make them ignore those errors.

Git also has a setting to ignore those errors, http.sslVerify=false.  For native git,
that setting is enough to make git work.  Unfortunately, JGit does not match native
git here.  It still verifies the hostname, which is a bug.  Because of this you must
generate an SSL cert for each hostname you want to serve to JGit clients (like Gitblit
federation, Eclipse, etc).

192.168.248.129 != localhost

It is unclear if you have tried generating a new SSL certificate for "192.168.248.129",
but you need to.  Review the makekeystore.cmd file, modify it, and execute it.  I think
it should work after you do that.

As far as I know, I've generated an own certifacte using makekeystore.cmd, makekeystore_....cmd,
and "192.168.248.129" for the one and "192.168.248.130" for the other pc. Unfortunately,
I can't check it this week, because I'm working in another office, but next week I
will check this and I will give you a feedback.
kind regards, mh

I'm not sure if I've configured my two pc's correct. Can you give me a feedback, if
the following configuration is correct, please?

* Server 192.168.248.129:
- in the "makekeystore.cmd": @SET HOSTNAME=192.168.248.129
- in the "makekeystore_jdk.cmd": @SET HOSTNAME=192.168.248.129

* Server 192.168.248.130:
- in the "makekeystore.cmd": @SET HOSTNAME=192.168.248.130
- in the "makekeystore_jdk.cmd": @SET HOSTNAME=192.168.248.130

the password I've used by generating the certificate on each machine is the same;
I used the same password for the following parameters in the "gitblit.properties" 
for each machine, too: federation.passphrase and server.storePassword

I wrote in the "federation.properties" of 192.168.248.130:

federation.1921682481298443.url = https://192.168.248.129:8443
federation.1921682481298443.token = a6e652d897dfdfbb717bead119ad7f215c0a47bd
federation.1921682481298443.mergeAccounts = true
federation.1921682481298443.frequency = 5 mins
federation.1921682481298443.folder = 1921682481298443
federation.1921682481298443.bare = true
federation.1921682481298443.mirror = true
federation.1921682481298443.sendStatus = true
federation.1921682481298443.notifyOnError = false
federation.1921682481298443.exclude = 
federation.1921682481298443.include =

I try to access the server 192.168.248.129 from 192.168.248.130.
I call "java -jar fedclient.jar" in a commandline of 192.168.248.130.

On the server 192.168.248.129, I get the message:
INFO  Federation ALL token = 323a0daf12508a347b37c8de8d52dbf165030883
INFO  Federation USERS_AND_REPOSITORIES token = 3e7002799a51fa78f2cd7f3f9fba9f43
0a1076c1
INFO  Federation REPOSITORIES token = 8b6aa6797e0231c8fe84fc8760e733bc1d847cdb
INFO  jetty-7.4.3.v20110701
INFO  Extract jar:file:/C:/Blit/gitblit.jar!/ to C:\Blit\temp\webapp
INFO  Shutdown Monitor listening on port 8081
INFO  NO JSP Support for /, did not find org.apache.jasper.servlet.JspServlet
INFO  started o.e.j.w.WebAppContext{/,file:/C:/Blit/temp/webapp/},file:/C:/Blit/
gitblit.jar
INFO  [GitBlitWebApp] init: Wicket core library initializer
INFO  [GitBlitWebApp] init: Wicket extensions initializer
INFO  [GitBlitWebApp] Started Wicket version 1.4.20 in deployment mode
INFO  Started SelectChannelConnector@192.168.248.129:8080 STARTING
INFO  Started SslSelectChannelConnector@192.168.248.129:8443 STARTING
INFO  Federation PULL_REPOSITORIES request from 192.168.248.130
INFO  4 repository models loaded for $gitblit in 16 msecs
WARN  192.168.248.130:1080 javax.net.ssl.SSLException: Received fatal alert: cer
tificate_unknown

and on 192.168.248.130, I get the message:

C:\Blit>java -jar fedclient.jar
Gitblit Federation Client v1.1.0 (2012-08-25)
INFO  Reading configuration from C:\Blit\federation.properties
INFO  Git repositories folder C:\Repository
INFO  Identifying available repositories...
INFO  5 repositories identified with calculated folder sizes in 172 msecs
INFO  JVM timezone is Europe/Berlin (MEZ +0100)
INFO  Gitblit timezone is Europe/Berlin (MEZ +0100)
INFO  Setting up user service GitblitUserService
INFO  GUS delegating to ConfigUserService(C:\Blit\users.conf)
WARN  Mail server is not properly configured.  Mail services disabled.
INFO  Lucene executor is scheduled to process indexed branches every 2 minutes.
INFO  Pulling federated repository rep_hopfner.git from 1921682481298443 @ https
://192.168.248.129:8443
ERROR Failed to pull from federated gitblit (1921682481298443 @ https://192.168.
248.129:8443)
org.eclipse.jgit.api.errors.TransportException: https://192.168.248.129:8443/git
/rep_hopfner.git: cannot open git-upload-pack
        at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
        at com.gitblit.utils.JGitUtils.fetchRepository(JGitUtils.java:251)
        at com.gitblit.utils.JGitUtils.cloneRepository(JGitUtils.java:202)
        at com.gitblit.FederationPullExecutor.pull(FederationPullExecutor.java:2
20)
        at com.gitblit.FederationPullExecutor.run(FederationPullExecutor.java:10
6)
        at com.gitblit.FederationClient.main(FederationClient.java:81)
        at com.gitblit.FederationClientLauncher.main(FederationClientLauncher.ja
va:52)
Caused by: org.eclipse.jgit.errors.TransportException: https://192.168.248.129:8
443/git/rep_hopfner.git: cannot open git-upload-pack
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:4
67)
        at org.eclipse.jgit.transport.TransportHttp.openFetch(TransportHttp.java
:276)
        at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:
127)
        at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:113
)
        at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1069)
        at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:128)
        ... 6 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateEx
ception: No subject alternative names present
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown So
urce)
        at java.net.HttpURLConnection.getResponseCode(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unk
nown Source)
        at org.eclipse.jgit.util.HttpSupport.response(HttpSupport.java:167)
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:4
30)
        ... 11 more
Caused by: java.security.cert.CertificateException: No subject alternative names
 present
        at sun.security.util.HostnameChecker.matchIP(Unknown Source)
        at sun.security.util.HostnameChecker.match(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unk
nown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unkno
wn Source)
        ... 26 more
Finished.

can you give me a hint how to sove my problems ;-)
kind regards, mh

Ok.  In the default Java trustmanager there appears to be a special case for CN=IPAddress
that I was unaware of:

http://www.grepcode.com/search/usages?type=method&id=repository.grepcode.com%24java%24root@jdk%24openjdk@6-b14@sun%24security%24util@HostnameChecker@isIpAddress%28java.lang.String%29&k=u

http://www.grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/util/HostnameChecker.java#HostnameChecker.matchIP%28java.lang.String%2Cjava.security.cert.X509Certificate%29

If CN=IPAddress, the IPAddress must also be set in the certificate as a subjectAlternativeName.
 makekeystore.cmd will not do this.  makekeystore_jdk.cmd will work _if_ you are using
Java 7 and add a new parameter: -ext san=ip:%HOSTNAME%

I will revise Gitblit's certificate generation to set a proper subjectAlternativeName
if the cert's CN=IPAddress.

All of this would be unnecessary if JGit properly disregarded hostname verification
with http.sslVerify=false like native git does.  :(

http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using

http://stackoverflow.com/questions/8744607/how-to-add-subject-alernative-name-to-ssl-certs

In the next release generated SSL certs will set the subjectAlternativeName like the
JDK requires.  In the meantime you will have to manually generate a certificate keypair
yourself using keytool or openssl.

v1.2.0 has been deployed.