Resolve SSL certificate error with Git » History » Version 31
Redmine Admin, 08/06/2014 09:31 PM
| 1 | 24 | Redmine Admin | h1. SSL certificate handling with GIT |
|---|---|---|---|
| 2 | 1 | Redmine Admin | |
| 3 | |||
| 4 | GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
||
| 5 | and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
||
| 6 | |||
| 7 | Now, when you try to access a GIT-repository you will get an error similar to this: |
||
| 8 | 28 | Redmine Admin | Windows |
| 9 | 1 | Redmine Admin | <pre> |
| 10 | 31 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
| 11 | 1 | Redmine Admin | Cloning into 'stuko1'... |
| 12 | 29 | Redmine Admin | fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/': |
| 13 | SSL certificate problem: unable to get local issuer certificate |
||
| 14 | 28 | Redmine Admin | </pre> |
| 15 | |||
| 16 | Linux |
||
| 17 | <pre> |
||
| 18 | 1 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
| 19 | Cloning into 'testgit'... |
||
| 20 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
| 21 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
| 22 | 1 | Redmine Admin | </pre> |
| 23 | |||
| 24 | 30 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so. |
| 25 | The solution is to tell Git/cURL about this chain. |
||
| 26 | # [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. |
||
| 27 | 1 | Redmine Admin | # [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification. |
| 28 | |||
| 29 | 30 | Redmine Admin | The [[bad and insecure method]] allows a man-in-the-middle-attack and really should NOT be used. You have been warned! Don't even think about using it. If you are really, really, really ... sure about what you doing, follow the [[bad and insecure method]]. |
| 30 | 12 | Redmine Admin | |
| 31 | 15 | Redmine Admin | --- |
| 32 | 14 | Redmine Admin | |
| 33 | |||
| 34 | 12 | Redmine Admin | h3(#the good and secure method). The good and secure method to use GIT over HTTPS |
| 35 | |||
| 36 | 17 | Redmine Admin | GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) |
| 37 | 18 | Redmine Admin | The certificate chain looks like this: |
| 38 | |||
| 39 | 22 | Redmine Admin | !TUC-Certificate-Chain.png! |
| 40 | 18 | Redmine Admin | |
| 41 | 20 | Redmine Admin | <pre> |
| 42 | "Deutsche Telekom Root CA 2" |
||
| 43 | 21 | Redmine Admin | +--"DFV-Verein PCA Global -G01" |
| 44 | +--"TU Clausthal CA - G02"@ |
||
| 45 | +--"scm.in.tu-clausthal.de" |
||
| 46 | 20 | Redmine Admin | </pre> |
| 47 | 18 | Redmine Admin | |
| 48 | 17 | Redmine Admin | |
| 49 | In order to securely work with GIT you need to import the certificate chain. |
||
| 50 | 25 | Redmine Admin | We will provide the step-by-step-manual for most operating systems. |
| 51 | 1 | Redmine Admin | |
| 52 | 26 | Redmine Admin | # Download the certificate-chain from the DFN (Deutsches Forschungs Netz) |
| 53 | 27 | Redmine Admin | Right-click on "Zertifikatkette anzeigen" and select "Save target on" |
| 54 | 25 | Redmine Admin | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt |
| 55 | 26 | Redmine Admin | # Locate the folder where the git executable is installed. |
| 56 | ## On Windows this file is called @curl-ca-bundle.crt@ and its located most likely at @c:\Programs (x86)\Git\bin@ |
||
| 57 | 1 | Redmine Admin | ## On Debian-Linux it is is located at @/etc/ssl/certs/ca-certificates.crt@ |
| 58 | # Decide if the certificate-chain should be installed system-wide or just user- or account-wide. |
||
| 59 | 27 | Redmine Admin | ## For a system-wide installation just append the certificate-chain from above to this file- |
| 60 | ### On Windows open a administrator console. (Windows-Key->Type "cmd"->right-click on it and select "Run as Administrator" from the pop-up) |
||
| 61 | 1 | Redmine Admin | @cd@ to the download location and type @type chain.txt >> "c:\Program Files (x86)\Git\bin\curl-ca-bundle.crt"@ |
| 62 | 30 | Redmine Admin | @ @ |
| 63 | 28 | Redmine Admin | ### On Debian-Linux (as root or sudo) |
| 64 | @cd@ to the doenload location and type @echo chain.txt >> /etc/ssl/certs/ca-certificates.crt@ |
||
| 65 | 30 | Redmine Admin | @ @ |
| 66 | ## For a user-wide installation create a copy of the cURL-certificate-store and append |
||
| 67 | 28 | Redmine Admin | |
| 68 | |||
| 69 | 25 | Redmine Admin | For user-wide installation make a copy of the @*.crt@ file above and place it in your |
| 70 | 17 | Redmine Admin | |
| 71 | |||
| 72 | 2 | Redmine Admin | |
| 73 | 1 | Redmine Admin | |
| 74 | |||
| 75 | To import the certificate chain for GIT follow these steps: |
||
| 76 | 1. Locate the file |
||
| 77 | |||
| 78 | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt |
||
| 79 | To import the certificate chain for GIT follow these steps: |
||
| 80 | |||
| 81 | |||
| 82 | or choose one of the following options to skip the certificate verification: |
||
| 83 | - Temporary ignore ssl certificate verification: |
||
| 84 | env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME |
||
| 85 | |||
| 86 | - Disable ssl verfication for one GIT repository (works after first clone): |
||
| 87 | git config http.sslVerify false |
||
| 88 | |||
| 89 | - Globally disable ssl verification (not recommended!) |
||
| 90 | git config --global http.sslVerify false |