Resolve SSL certificate error with Git » History » Revision 40
Revision 39 (Redmine Admin, 08/07/2014 08:05 AM) → Revision 40/54 (Redmine Admin, 08/07/2014 08:42 AM)
h1. SSL certificate handling with Git Git GIT uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. Now, when you try to access a Git-repository GIT-repository you will get an error similar to this: Windows <pre> git clone https://scm.in.tu-clausthal.de/git/testgit Cloning into 'testgit'... fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/': SSL certificate problem: unable to get local issuer certificate </pre> Linux <pre> git clone https://scm.in.tu-clausthal.de/git/testgit Cloning into 'testgit'... error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs </pre> This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so. The solution is to tell Git/cURL about this chain. @ @ # [[Certificate handling with Git#the GIT#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. # the [[the bad and insecure method method]] which is based on the fact that GIT/cURL bypasses the SSL certificate verification. The [[bad and insecure method#the bad and insecure method method]] allows a man-in-the-middle-attack and really should NOT be used. *You have been warned! Don't even think about using it.* If you are really, really, really ... sure about what you going to to, follow [[the bad and insecure method]]. --- h3(#the good and secure method). The good and secure method to use Git GIT over HTTPS Git GIT uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) The certificate chain looks like this: !TUC-Certificate-Chain.png! <pre> "Deutsche Telekom Root CA 2" +--"DFV-Verein PCA Global -G01" +--"TU Clausthal CA - G02"@ +--"scm.in.tu-clausthal.de" </pre> In order to securely work with Git GIT you need to import the DFN certificate chain. We will provide the step-by-step-manual for most operating systems. # Download the DFN-certificate-chain certificate-chain from the DFN (Deutsches Forschungs Netz) Right-click on "Zertifikatkette anzeigen" and select "Save target on" https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt # Locate the folder where the git executable is installed. ## On Windows this file is called @curl-ca-bundle.crt@ and its located most likely at @c:\Programs (x86)\Git\bin@ ## On Debian-Linux it is is located at @/etc/ssl/certs/ca-certificates.crt@ # Decide if the certificate-chain should be installed system-wide or just user- or account-wide. ## For a system-wide installation just append the certificate-chain from above to this file- ### On Windows open a administrator console. (Windows-Key->Type "cmd"->right-click on it and select "Run as administrator" Administrator" from the pop-up) @cd@ to the download location and type @type chain.txt >> "c:\Program Files (x86)\Git\bin\curl-ca-bundle.crt"@ @ @ ### On Debian-Linux (as root or sudo) @cd@ to the doenload location and type @cat @echo chain.txt >> /etc/ssl/certs/ca-certificates.crt@ @ @ ## For a user-wide installation create a copy of the cURL-certificate-store and append For user-wide installation make a copy of the @*.crt@ file above and place it in your home directory. Then append To import the DFN certiticate-chain to certificate chain for GIT follow these steps: 1. Locate the cURL-certificate-store just like above. file https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain_sha1.txt A last step is needed. Tell Git To import the certificate chain for GIT follow these steps: or choose one of the following options to use this newly edited certificate-store. skip the certificate verification: This can easily be done using @git - Temporary ignore ssl certificate verification: env GIT_SSL_NO_VERIFY=true git clone https://scm.in.tu-clausthal.de/git/PROJECTNAME - Disable ssl verfication for one GIT repository (works after first clone): git config http.sslVerify false - Globally disable ssl verification (not recommended!) git config --global https.sslCAInfo /path/to/ca-certificates.crt@ http.sslVerify false --- Note: cURL provides an automatic extract of all root-certificated from Mozilla. This ca-file can be "downloaded here":http://curl.haxx.se/ca/cacert.pem. For more information about cURL certificates head over to "this page":http://curl.haxx.se/docs/caextract.html --- @ @ @ @ h2. "Found an error or mistake? Missing some information? Create a new issue!":https://scm.in.tu-clausthal.de/projects/redmine-git-svn-help/issues/new