Resolve SSL certificate error with Git » History » Version 33
Redmine Admin, 08/06/2014 09:33 PM
1 | 24 | Redmine Admin | h1. SSL certificate handling with GIT |
---|---|---|---|
2 | 1 | Redmine Admin | |
3 | |||
4 | GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
||
5 | and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
||
6 | |||
7 | Now, when you try to access a GIT-repository you will get an error similar to this: |
||
8 | 28 | Redmine Admin | Windows |
9 | 1 | Redmine Admin | <pre> |
10 | 31 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
11 | 1 | Redmine Admin | Cloning into 'stuko1'... |
12 | 29 | Redmine Admin | fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/': |
13 | SSL certificate problem: unable to get local issuer certificate |
||
14 | 28 | Redmine Admin | </pre> |
15 | |||
16 | Linux |
||
17 | <pre> |
||
18 | 1 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
19 | Cloning into 'testgit'... |
||
20 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
21 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
22 | 1 | Redmine Admin | </pre> |
23 | |||
24 | 30 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so. |
25 | The solution is to tell Git/cURL about this chain. |
||
26 | # [[Certificate handling with GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. |
||
27 | 1 | Redmine Admin | # [[the bad and insecure method]] which are based on the fact that GIT/cURL bypasses the SSL certificate verification. |
28 | |||
29 | 33 | Redmine Admin | The [[bad and insecure method]] allows a man-in-the-middle-attack and really should NOT be used. *You have been warned! Don't even think about using it.* If you are really, really, really ... sure about what you going to to, follow [[the bad and insecure method]]. |
30 | 12 | Redmine Admin | |
31 | 15 | Redmine Admin | --- |
32 | 14 | Redmine Admin | |
33 | |||
34 | 12 | Redmine Admin | h3(#the good and secure method). The good and secure method to use GIT over HTTPS |
35 | |||
36 | 17 | Redmine Admin | GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) |
37 | 18 | Redmine Admin | The certificate chain looks like this: |
38 | |||
39 | 22 | Redmine Admin | !TUC-Certificate-Chain.png! |
40 | 18 | Redmine Admin | |
41 | 20 | Redmine Admin | <pre> |
42 | "Deutsche Telekom Root CA 2" |
||
43 | 21 | Redmine Admin | +--"DFV-Verein PCA Global -G01" |
44 | +--"TU Clausthal CA - G02"@ |
||
45 | +--"scm.in.tu-clausthal.de" |
||
46 | 20 | Redmine Admin | </pre> |
47 | 18 | Redmine Admin | |
48 | 17 | Redmine Admin | |
49 | In order to securely work with GIT you need to import the certificate chain. |
||
50 | 25 | Redmine Admin | We will provide the step-by-step-manual for most operating systems. |
51 | 1 | Redmine Admin | |
52 | 26 | Redmine Admin | # Download the certificate-chain from the DFN (Deutsches Forschungs Netz) |
53 | 27 | Redmine Admin | Right-click on "Zertifikatkette anzeigen" and select "Save target on" |
54 | 25 | Redmine Admin | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt |
55 | 26 | Redmine Admin | # Locate the folder where the git executable is installed. |
56 | ## On Windows this file is called @curl-ca-bundle.crt@ and its located most likely at @c:\Programs (x86)\Git\bin@ |
||
57 | 1 | Redmine Admin | ## On Debian-Linux it is is located at @/etc/ssl/certs/ca-certificates.crt@ |
58 | # Decide if the certificate-chain should be installed system-wide or just user- or account-wide. |
||
59 | 27 | Redmine Admin | ## For a system-wide installation just append the certificate-chain from above to this file- |
60 | ### On Windows open a administrator console. (Windows-Key->Type "cmd"->right-click on it and select "Run as Administrator" from the pop-up) |
||
61 | 1 | Redmine Admin | @cd@ to the download location and type @type chain.txt >> "c:\Program Files (x86)\Git\bin\curl-ca-bundle.crt"@ |
62 | 30 | Redmine Admin | @ @ |
63 | 28 | Redmine Admin | ### On Debian-Linux (as root or sudo) |
64 | @cd@ to the doenload location and type @echo chain.txt >> /etc/ssl/certs/ca-certificates.crt@ |
||
65 | 30 | Redmine Admin | @ @ |
66 | ## For a user-wide installation create a copy of the cURL-certificate-store and append |
||
67 | 28 | Redmine Admin | |
68 | |||
69 | 25 | Redmine Admin | For user-wide installation make a copy of the @*.crt@ file above and place it in your |
70 | 17 | Redmine Admin | |
71 | |||
72 | 2 | Redmine Admin | |
73 | 1 | Redmine Admin | |
74 | |||
75 | To import the certificate chain for GIT follow these steps: |
||
76 | 1. Locate the file |
||
77 | |||
78 | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt |
||
79 | To import the certificate chain for GIT follow these steps: |
||
80 | |||
81 | |||
82 | or choose one of the following options to skip the certificate verification: |
||
83 | - Temporary ignore ssl certificate verification: |
||
84 | env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME |
||
85 | |||
86 | - Disable ssl verfication for one GIT repository (works after first clone): |
||
87 | git config http.sslVerify false |
||
88 | |||
89 | - Globally disable ssl verification (not recommended!) |
||
90 | git config --global http.sslVerify false |