Resolve SSL certificate error with Git » History » Version 18
Redmine Admin, 08/06/2014 11:31 AM
| 1 | 1 | Redmine Admin | h1. Certificate handling with GIT |
|---|---|---|---|
| 2 | |||
| 3 | |||
| 4 | GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
||
| 5 | and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
||
| 6 | |||
| 7 | Now, when you try to access a GIT-repository you will get an error similar to this: |
||
| 8 | <pre> |
||
| 9 | git clone https://scm.in.tu-clausthal.de/git/testgit |
||
| 10 | Cloning into 'testgit'... |
||
| 11 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
| 12 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
| 13 | 1 | Redmine Admin | </pre> |
| 14 | |||
| 15 | 2 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation. |
| 16 | 1 | Redmine Admin | There are several possibilities to avoid this |
| 17 | 5 | Redmine Admin | |
| 18 | 13 | Redmine Admin | # and [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. |
| 19 | 1 | Redmine Admin | # [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification. |
| 20 | |||
| 21 | 12 | Redmine Admin | The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it. |
| 22 | |||
| 23 | 15 | Redmine Admin | --- |
| 24 | 14 | Redmine Admin | |
| 25 | |||
| 26 | 12 | Redmine Admin | h3(#the good and secure method). The good and secure method to use GIT over HTTPS |
| 27 | |||
| 28 | 17 | Redmine Admin | GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) |
| 29 | 18 | Redmine Admin | The certificate chain looks like this: |
| 30 | |||
| 31 | !! |
||
| 32 | |||
| 33 | "Deutsche Telekom Root CA 2" |
||
| 34 | "DFV-Verein PCA Global -G01" |
||
| 35 | "TU Clausthal CA - G02" |
||
| 36 | "scm.in.tu-clausthal.de" |
||
| 37 | |||
| 38 | |||
| 39 | 17 | Redmine Admin | |
| 40 | In order to securely work with GIT you need to import the certificate chain. |
||
| 41 | We will provide the step-by-step-manual for these operating systems: |
||
| 42 | |||
| 43 | |||
| 44 | |||
| 45 | |||
| 46 | |||
| 47 | https://pki.pca.dfn.de/tu-clausthal-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=index;id=4&RA_ID=0 |
||
| 48 | 2 | Redmine Admin | |
| 49 | 1 | Redmine Admin | To import the certificate chain for GIT follow these steps: |
| 50 | 1. Locate the file |
||
| 51 | |||
| 52 | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt |
||
| 53 | To import the certificate chain for GIT follow these steps: |
||
| 54 | |||
| 55 | |||
| 56 | or choose one of the following options to skip the certificate verification: |
||
| 57 | - Temporary ignore ssl certificate verification: |
||
| 58 | env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME |
||
| 59 | |||
| 60 | - Disable ssl verfication for one GIT repository (works after first clone): |
||
| 61 | git config http.sslVerify false |
||
| 62 | |||
| 63 | - Globally disable ssl verification (not recommended!) |
||
| 64 | git config --global http.sslVerify false |