Resolve SSL certificate error with Git » History » Revision 25
Revision 24 (Redmine Admin, 08/06/2014 11:59 AM) → Revision 25/54 (Redmine Admin, 08/06/2014 02:50 PM)
h1. SSL certificate handling with GIT
GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store
and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default.
Now, when you try to access a GIT-repository you will get an error similar to this:
<pre>
git clone https://scm.in.tu-clausthal.de/git/testgit
Cloning into 'testgit'...
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs
</pre>
This is because by default cURL does not know the used certificate chain and rejects the GIT operation.
There are several possibilities to avoid this
# and [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here.
# [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification.
The [[bad and insecure method]] allows a man-in-the-middle-attack and really should be used. You have been warned! Don't even think about using it.
---
h3(#the good and secure method). The good and secure method to use GIT over HTTPS
GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start)
The certificate chain looks like this:
!TUC-Certificate-Chain.png!
<pre>
"Deutsche Telekom Root CA 2"
+--"DFV-Verein PCA Global -G01"
+--"TU Clausthal CA - G02"@
+--"scm.in.tu-clausthal.de"
</pre>
In order to securely work with GIT you need to import the certificate chain.
We will provide the step-by-step-manual for most these operating systems. systems:
# Locate the folder where the git executable is installed.
In this folder there should be a file called "curl-ca-bundle.crt"
On Windows this is most likely @c:\Programs (x86)\Git\bin@, h2. [[Install certificate chain on Debian-Linux it is located at @/etc/ssl/certs/ca-certificates.crt@
#Download the certificate-chain file, which contains the Telekom-CA, the DFN-CA and the TUC-CA.
# Windows]]
# Decide if the certificate-chain should be installed system-wide or just user- or account-wide.
For user-wide installation make a copy of the @*.crt@ file above and place it in your
h2. [[Install certificate chain on OS X]]
h2. [[Install certificate chain on Linux]]
https://pki.pca.dfn.de/tu-clausthal-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=index;id=4&RA_ID=0
To import the certificate chain for GIT follow these steps:
1. Locate the file
https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt
To import the certificate chain for GIT follow these steps:
or choose one of the following options to skip the certificate verification:
- Temporary ignore ssl certificate verification:
env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME
- Disable ssl verfication for one GIT repository (works after first clone):
git config http.sslVerify false
- Globally disable ssl verification (not recommended!)
git config --global http.sslVerify false