Project

General

Profile

Resolve SSL certificate error with Git » History » Version 15

Redmine Admin, 08/06/2014 11:16 AM

1 1 Redmine Admin
h1. Certificate handling with GIT
2
3
4
GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store
5
and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default.
6
7
Now, when you try to access a GIT-repository you will get an error similar to this:
8
<pre>
9
git clone https://scm.in.tu-clausthal.de/git/testgit
10
Cloning into 'testgit'...
11 12 Redmine Admin
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt 
12
CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs
13 1 Redmine Admin
</pre>
14
15 2 Redmine Admin
This is because by default cURL does not know the used certificate chain and rejects the GIT operation.
16 1 Redmine Admin
There are several possibilities to avoid this
17 5 Redmine Admin
18 13 Redmine Admin
# and [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here.
19 1 Redmine Admin
# [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification.
20
21 12 Redmine Admin
The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it. 
22
23 15 Redmine Admin
---
24 14 Redmine Admin
25
26 12 Redmine Admin
h3(#the good and secure method). The good and secure method to use GIT over HTTPS
27
28
29 2 Redmine Admin
30 1 Redmine Admin
To import the certificate chain for GIT follow these steps:
31
 1. Locate the file
32
33
https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt
34
To import the certificate chain for GIT follow these steps:
35
36
37
or choose one of the following options to skip the certificate verification:
38
- Temporary ignore ssl certificate verification:
39
  env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME
40
41
- Disable ssl verfication for one GIT repository (works after first clone):
42
  git config http.sslVerify false
43
44
- Globally disable ssl verification (not recommended!)
45
  git config --global http.sslVerify false