Redmine, Git, Svn Help

h1. Certificate handling with GIT

GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store

and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default.

Now, when you try to access a GIT-repository you will get an error similar to this:

<pre>

git clone https://scm.in.tu-clausthal.de/git/testgit

Cloning into 'testgit'...

error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt 

CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs

</pre>

This is because by default cURL does not know the used certificate chain and rejects the GIT operation.

There are several possibilities to avoid this

# and [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here.

# [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification.

The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it. 

h3(#the good and secure method). The good and secure method to use GIT over HTTPS

To import the certificate chain for GIT follow these steps:

 1. Locate the file

https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt

To import the certificate chain for GIT follow these steps:

or choose one of the following options to skip the certificate verification:

- Temporary ignore ssl certificate verification:

  env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME

- Disable ssl verfication for one GIT repository (works after first clone):

  git config http.sslVerify false

- Globally disable ssl verification (not recommended!)

  git config --global http.sslVerify false