Project

General

Profile

Resolve SSL certificate error with Git » History » Version 24

Redmine Admin, 08/06/2014 11:59 AM

1 24 Redmine Admin
h1. SSL certificate handling with GIT
2 1 Redmine Admin
3
4
GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store
5
and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default.
6
7
Now, when you try to access a GIT-repository you will get an error similar to this:
8
<pre>
9
git clone https://scm.in.tu-clausthal.de/git/testgit
10
Cloning into 'testgit'...
11 12 Redmine Admin
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt 
12
CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs
13 1 Redmine Admin
</pre>
14
15 2 Redmine Admin
This is because by default cURL does not know the used certificate chain and rejects the GIT operation.
16 1 Redmine Admin
There are several possibilities to avoid this
17 5 Redmine Admin
18 13 Redmine Admin
# and [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here.
19 1 Redmine Admin
# [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification.
20
21 12 Redmine Admin
The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it. 
22
23 15 Redmine Admin
---
24 14 Redmine Admin
25
26 12 Redmine Admin
h3(#the good and secure method). The good and secure method to use GIT over HTTPS
27
28 17 Redmine Admin
GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start)
29 18 Redmine Admin
The certificate chain looks like this: 
30
31 22 Redmine Admin
!TUC-Certificate-Chain.png!
32 18 Redmine Admin
33 20 Redmine Admin
<pre>
34
"Deutsche Telekom Root CA 2"
35 21 Redmine Admin
+--"DFV-Verein PCA Global -G01"
36
   +--"TU Clausthal CA - G02"@
37
      +--"scm.in.tu-clausthal.de"
38 20 Redmine Admin
</pre>
39 18 Redmine Admin
40 17 Redmine Admin
41
In order to securely work with GIT you need to import the certificate chain.
42
We will provide the step-by-step-manual for these operating systems:
43
44 23 Redmine Admin
h2. [[Install certificate chain on Windows]]
45
46
h2. [[Install certificate chain on OS X]]
47
48
h2. [[Install certificate chain on Linux]]
49 17 Redmine Admin
50
51
52
53
https://pki.pca.dfn.de/tu-clausthal-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=index;id=4&RA_ID=0
54 2 Redmine Admin
55 1 Redmine Admin
To import the certificate chain for GIT follow these steps:
56
 1. Locate the file
57
58
https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt
59
To import the certificate chain for GIT follow these steps:
60
61
62
or choose one of the following options to skip the certificate verification:
63
- Temporary ignore ssl certificate verification:
64
  env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME
65
66
- Disable ssl verfication for one GIT repository (works after first clone):
67
  git config http.sslVerify false
68
69
- Globally disable ssl verification (not recommended!)
70
  git config --global http.sslVerify false