Jenkins cannot clone repo from gerrit over http

Question

I'm getting an error while trying to clone repo from gerrit with my jenkins user.

I have a jenkins user in gerrit with set ssh key and http password. I can login with password to gerrit UI but when I try to clone repo over http I'm getting fatal: authentication failed.

I'm using nginx and here is my configuration for both sites

Here is nginx configuration for gerrit

upstream gerrit {
    server localhost:8092 fail_timeout=0;
}

 server {
    listen 80;
    server_name gerrit.domain.com;
    return 301 https://$host$request_uri;
 }

 server {
    listen 443 ssl;
    server_name gerrit.domain.com www.gerrit.domain.com;

    proxy_ssl_session_reuse off;

    ssl_certificate 
    /etc/letsencrypt/live/gerrit.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key 
    /etc/letsencrypt/live/gerrit.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    if ($scheme != "https") {
       return 301 https://$host$request_uri;
    } # managed by Certbot

    location / {
       allow 10.8.0.0/24;
       deny all;
       proxy_set_header        Host $host:$server_port;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_set_header Authorization $http_authorization;
       proxy_pass_header  Authorization;
       proxy_redirect http:// https://;
       proxy_pass              http://gerrit;
       proxy_http_version 1.1;
       proxy_request_buffering off;
       proxy_buffering off; # Required for HTTP-based CLI to work over SSL

       auth_basic "Restricted";
       auth_basic_user_file /etc/nginx/.htpasswd;
 }

and nginx configuration for jenkins

upstream jenkins {
    server localhost:8080 fail_timeout=0;
}

server {
    listen 80;
    server_name jenkins.domain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name jenkins.domain.com www.jenkins.domain.com;

    ssl_certificate /etc/letsencrypt/live/jenkins.domain.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/jenkins.domain.com-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    proxy_ssl_session_reuse off;

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    location / {
        allow 10.8.0.0/24;
        deny all;
        proxy_set_header        Host $host:$server_port;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";
        proxy_redirect http:// https://;
        proxy_pass              http://jenkins;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_buffering off; # Required for HTTP-based CLI to work over SSL
        add_header 'X-SSH-Endpoint' 'jenkins.domain.com:50022' always;
        proxy_read_timeout 150;
    }
    location = /favicon.ico {
        log_not_found off;
    }
}

I have tried using password which is stored in /etc/nginx/.htpasswd and the one which I've generated in gerrit UI for jenkins user but both are not working.

Does anyone have an idea why it doesn't work?

Additionally in nginx error.log I can see "user "jenkins": password mismatch" error. But with same password I can login to gerrit UI.

Answer 1

I would increase the fail timeout from 0 as logic tells me that gives you exactly 0 seconds before timeout and fail.

Answer 2

I have found out that after removing

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

lines from gerrit nginx configuration jenkins is able to clone repo, but after that I'm getting error from website that http authentication was not setup propertly.