Resolve SSL certificate error with Git » History » Version 12
Redmine Admin, 08/06/2014 11:13 AM
1 | 1 | Redmine Admin | h1. Certificate handling with GIT |
---|---|---|---|
2 | |||
3 | |||
4 | GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
||
5 | and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
||
6 | |||
7 | Now, when you try to access a GIT-repository you will get an error similar to this: |
||
8 | <pre> |
||
9 | git clone https://scm.in.tu-clausthal.de/git/testgit |
||
10 | Cloning into 'testgit'... |
||
11 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
12 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
13 | 1 | Redmine Admin | </pre> |
14 | |||
15 | 2 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation. |
16 | 1 | Redmine Admin | There are several possibilities to avoid this |
17 | 5 | Redmine Admin | |
18 | 12 | Redmine Admin | # and [[#the good and secure method]] which requires to install the certificate chain used here. |
19 | 1 | Redmine Admin | # [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification. |
20 | |||
21 | 12 | Redmine Admin | The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it. |
22 | |||
23 | h3(#the good and secure method). The good and secure method to use GIT over HTTPS |
||
24 | |||
25 | |||
26 | 2 | Redmine Admin | |
27 | 1 | Redmine Admin | To import the certificate chain for GIT follow these steps: |
28 | 1. Locate the file |
||
29 | |||
30 | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt |
||
31 | To import the certificate chain for GIT follow these steps: |
||
32 | |||
33 | |||
34 | or choose one of the following options to skip the certificate verification: |
||
35 | - Temporary ignore ssl certificate verification: |
||
36 | env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME |
||
37 | |||
38 | - Disable ssl verfication for one GIT repository (works after first clone): |
||
39 | git config http.sslVerify false |
||
40 | |||
41 | - Globally disable ssl verification (not recommended!) |
||
42 | git config --global http.sslVerify false |