search

contao-community-alliance / composer-client

This is the Contao Composer Client
http://de.contaowiki.org/Composer
27 stars 18 forks source link

Your configuration does not allow connection to http://legacy-packages contao #281

Closed 31er closed 8 years ago

31er commented 8 years ago

Contao 3.5.6 Composer-Client 0.16.3

Bei "Testlauf" oder "Pakete aktualisieren" erscheint im Textoutput: Your configuration does not allow connection to http://legacy-packages-via.contao-community-alliance.org. See https://getcomposer.org/doc/06-config.md#secure-http for details. http://legacy-packages-via.contao-community-alliance.org could not be fully loaded, package information was loaded from the local cache and may be out of date

Der Hinweis verschwindet erst, wenn man in der composer.json http auf https ändert. Siehe auch: https://community.contao.org/de/showthread.php?61453-Your-configuration-does-not-allow-connection-to-http

fritzmg commented 8 years ago

This happens with the recent composer.phar update. composer does not allow unsecure connections by default anymore:

secure-http#

Defaults to true. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using Let's Encrypt to get a free SSL certificate is generally a better alternative.

https://getcomposer.org/doc/06-config.md#secure-http

However, even if you have both versions (http and https) of the contao legacy package repository in the repositories section of your composer.json, composer will still complain. The only solution right now is to remove

{
    "type": "composer",
    "url": "http://legacy-packages-via.contao-community-alliance.org/"
}

(or add "secure-http": false to the config section, which is not recommended of course)

discordier commented 8 years ago

In fact there is no real reason IMO to still retain the http url in composer.json. Most servers have https support now a days and therefore it is obsolete.

We can safely delete it. However, this will only affect new installations then.

MacKP commented 8 years ago

Hab gerade bei einer Installation auf Composer gewechselt. Dabei noch zwei legacy Pakete belassen (efg und xls_export). Auch wenn ich die Zeilen aus der composer.json entfernt habe (ja, auch cache von Composer geleert) bin ich nicht weiter gekommen. Notlösung: legacy-Erweiterungen aus composer.json entfernen, dann update machen und Erweiterungen per Hand wieder hochladen. Dann Erweiterungen wieder in die composer.json eintragen, damit mir die nicht beim nächsten mal entfernt werden ^^ Scheint irgendwo noch der Wurm drinn zu sein oder?

Viele Grüße

discordier commented 8 years ago

Du hast in der composer.json den Bereich mit http:// entfernt?

MacKP commented 8 years ago

Ja, sowas von. Der war so weg, das ich den gar nicht mehr gesehen habe ;-) Vorher hab ich den mal bearbeitet gehabt und https draus gemacht. Beides hat nicht geholfen :(

fritzmg commented 8 years ago

Hm, have you tried deleting everything under /composer/cache/repo as well?

MacKP commented 8 years ago

Jep, everything in /composer/cache

frontendschlampe commented 8 years ago

I had the same problem but I just take out

{ "type": "composer", "url": "http://legacy-packages-via.contao-community-alliance.org/" }

and everything works fine!

christianbarkowsky commented 8 years ago

Also the same problem.

Expertenmodus > s added > save > Composer Cache leeren > nun geht's.

P.S. Freitag Nachmittag war das Problem beim Kunden plötzlich da.

frontendschlampe commented 8 years ago

@christianbarkowsky Du musst es aber nicht hinzufügen, sondern eher den http Eintrag löschen, oder?!

christianbarkowsky commented 8 years ago

@frontendschlampe bei mir ging es aber so!

frontendschlampe commented 8 years ago

ja ... natürlich ging es, aber der Eintrag für https steht doch bereits drin!

christianbarkowsky commented 8 years ago

@frontendschlampe stimmt ... nun ist es doppelt! :-s

frontendschlampe commented 8 years ago

:-D ... sag ich doch!

bytehead commented 8 years ago

Legacy Pakete werden aber scheinbar immernoch über die HTTP-Verbindung geladen: - Installing contao-legacy/newslanguage (2.1.0.9035) Downloading http://legacy-packages-via.contao-community-alliance.org/er2-proxy/newslanguage/20010009/35

trotz HTTPS in der composer.json: { "type": "composer", "url": "https://legacy-packages-via.contao-community-alliance.org/" }

fritzmg commented 8 years ago

Lösche mal Cache, lock und installed file.

bytehead commented 8 years ago

Habe ich versucht, alles bis auf das composer.json file gelöscht - ohne legacy pakete gehts.

bytehead commented 8 years ago

I have set up an empty directory with the accordingly composer.json file and it still fails:

- Installing contao-legacy/newslanguage (2.1.0.9035)
Downloading http://legacy-packages-via.contao-community-alliance.org/er2-proxy/newslanguage/20010009/35
    Downloading: Connecting...    Download failed, retrying...
Downloading http://legacy-packages-via.contao-community-alliance.org/er2-proxy/newslanguage/20010009/35
    Downloading: Connecting...    Download failed, retrying...
Downloading http://legacy-packages-via.contao-community-alliance.org/er2-proxy/newslanguage/20010009/35
    Downloading: Connecting...
Failed: [Composer\Downloader\TransportException] 0: Your configuration does not allow connection to http://legacy-packages-via.contao-community-alliance.org. See https://getcomposer.org/doc/06-config.md#secure-http for details.

  [Composer\Downloader\TransportException]                                                                                                                                         
  Your configuration does not allow connection to http://legacy-packages-via.contao-community-alliance.org. See https://getcomposer.org/doc/06-config.md#secure-http for details.
fritzmg commented 8 years ago

Could it be, that the contao-legacy packagist server actually points to the er2-proxy repositories without SSL, regardless of whether you use https://legacy-packages-via.contao-community-alliance.org or http://legacy-packages-via.contao-community-alliance.org ?

bytehead commented 8 years ago

It seems to be like this...

discordier commented 8 years ago

Yep, that's the case. Sadly the complete re-import of all extensions is still running.

When it is done, all URLs will be https:// based

bytehead commented 8 years ago

thanks! :+1:

discordier commented 8 years ago

All parsed, new URLs should be distributed as caches slowly clear up. Any update on your side?

bytehead commented 8 years ago

Works for me!

monofone commented 8 years ago

After cleaning up the composer.json the composer stuff is working. So for me its working too, but I havent installed any extensions, just searched and detail views.

k-webdesign commented 8 years ago

Läuft

discordier commented 8 years ago

Fixed in trunk with c247028160499cc9c3eadaf0f5fe5aeaa897fd56.

fritzmg commented 8 years ago

Since this will affect everyone that tries to make a fresh composer client installation (via the ER2 for example), 0.16.4 should be released as soon as possible.

discordier commented 8 years ago

Granted, I just wanted to wait for input on all other issues. Mainly on the endless loop of "restart the operation". However I suspect it was due to the regression introduced in composer 1.0.1 and fixed in 1.0.2. Will release within the next days.

paulocastroo commented 7 years ago

just a note: we still need the http version for testing out satis in our local computer

discordier commented 7 years ago

Can you clearify this? Why do you want to connect via plain http instead of https? I thought satis knows HTTPs.

planktonfun commented 7 years ago

When you use satis server on your local computer (not hosted in a domain) and a self-signed certificate it wouldn't work even if you add the option verify peer false e.g. https://localhost:8181,

but luckily adding '"secure-http":false' under options key inside composer.json will work but not recommended according to composers documentation

flik commented 6 years ago

You can run the command and get fix:

composer config -g secure-http false

fritzmg commented 6 years ago

@flik this is not recommended

leonhoffmann86 commented 5 years ago

Simply add this configuration to your composer.json file.

"config": { "secure-http": false } Here is an full example of a working composer.json file

"repositories": [{ "type": "composer", "url": "http://packagist.org" }], "require": { "phpmailer/phpmailer": "^6.0" }, "config": { "secure-http": false } }

fritzmg commented 5 years ago

@leonfrombeawwwer you should not do this.

leonhoffmann86 commented 5 years ago

@fritzmg Thanks for the feedback. Would you explain why? Thanks, Leon

fritzmg commented 5 years ago

The real solution for any SSL problem is never to not use SSL, as this is a potential security risk. You should solve the SSL problem in the first place.

See all the comments above.

leonhoffmann86 commented 5 years ago

I see, I was looking for ways to solve it but needed to move on with the project. As a quick fix it worked great for me. I can always remove the config and all will be secure again here, or not?