Resolve SSL certificate error with Git » History » Version 41
Redmine Admin, 08/11/2014 09:36 AM
| 1 | 41 | Redmine Admin | h1. SSL certificate error with Git |
|---|---|---|---|
| 2 | 1 | Redmine Admin | |
| 3 | |||
| 4 | 40 | Redmine Admin | Git uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
| 5 | 1 | Redmine Admin | and the certificate-chain (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
| 6 | |||
| 7 | 40 | Redmine Admin | Now, when you try to access a Git-repository you will get an error similar to this: |
| 8 | 28 | Redmine Admin | Windows |
| 9 | 1 | Redmine Admin | <pre> |
| 10 | 31 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
| 11 | 39 | Redmine Admin | Cloning into 'testgit'... |
| 12 | 29 | Redmine Admin | fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/': |
| 13 | SSL certificate problem: unable to get local issuer certificate |
||
| 14 | 28 | Redmine Admin | </pre> |
| 15 | |||
| 16 | Linux |
||
| 17 | <pre> |
||
| 18 | 1 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
| 19 | Cloning into 'testgit'... |
||
| 20 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
| 21 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
| 22 | 1 | Redmine Admin | </pre> |
| 23 | |||
| 24 | 30 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so. |
| 25 | The solution is to tell Git/cURL about this chain. |
||
| 26 | 37 | Redmine Admin | @ @ |
| 27 | 40 | Redmine Admin | # [[Certificate handling with Git#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. |
| 28 | # the bad and insecure method which is based on the fact that GIT/cURL bypasses the SSL certificate verification. The bad and insecure method allows a man-in-the-middle-attack should NOT be used. *You have been warned! Don't even think about using it.* If you are really, really, really ... sure about what you going to to, follow [[the bad and insecure method]]. |
||
| 29 | 12 | Redmine Admin | |
| 30 | 1 | Redmine Admin | --- |
| 31 | 15 | Redmine Admin | |
| 32 | 14 | Redmine Admin | |
| 33 | 40 | Redmine Admin | h3(#the good and secure method). The good and secure method to use Git over HTTPS |
| 34 | 12 | Redmine Admin | |
| 35 | 40 | Redmine Admin | Git uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) |
| 36 | |||
| 37 | 18 | Redmine Admin | The certificate chain looks like this: |
| 38 | |||
| 39 | 22 | Redmine Admin | !TUC-Certificate-Chain.png! |
| 40 | 18 | Redmine Admin | |
| 41 | 20 | Redmine Admin | <pre> |
| 42 | 1 | Redmine Admin | "Deutsche Telekom Root CA 2" |
| 43 | 21 | Redmine Admin | +--"DFV-Verein PCA Global -G01" |
| 44 | 1 | Redmine Admin | +--"TU Clausthal CA - G02"@ |
| 45 | 21 | Redmine Admin | +--"scm.in.tu-clausthal.de" |
| 46 | 20 | Redmine Admin | </pre> |
| 47 | 18 | Redmine Admin | |
| 48 | 17 | Redmine Admin | |
| 49 | 40 | Redmine Admin | In order to securely work with Git you need to import the DFN certificate chain. |
| 50 | 25 | Redmine Admin | We will provide the step-by-step-manual for most operating systems. |
| 51 | 1 | Redmine Admin | |
| 52 | 40 | Redmine Admin | # Download the DFN-certificate-chain from the DFN (Deutsches Forschungs Netz) |
| 53 | 27 | Redmine Admin | Right-click on "Zertifikatkette anzeigen" and select "Save target on" |
| 54 | 1 | Redmine Admin | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt |
| 55 | # Locate the folder where the git executable is installed. |
||
| 56 | ## On Windows this file is called @curl-ca-bundle.crt@ and its located most likely at @c:\Programs (x86)\Git\bin@ |
||
| 57 | ## On Debian-Linux it is is located at @/etc/ssl/certs/ca-certificates.crt@ |
||
| 58 | # Decide if the certificate-chain should be installed system-wide or just user- or account-wide. |
||
| 59 | ## For a system-wide installation just append the certificate-chain from above to this file- |
||
| 60 | 40 | Redmine Admin | ### On Windows open a administrator console. (Windows-Key->Type "cmd"->right-click on it and select "Run as administrator" from the pop-up) |
| 61 | 1 | Redmine Admin | @cd@ to the download location and type @type chain.txt >> "c:\Program Files (x86)\Git\bin\curl-ca-bundle.crt"@ |
| 62 | @ @ |
||
| 63 | ### On Debian-Linux (as root or sudo) |
||
| 64 | 40 | Redmine Admin | @cd@ to the doenload location and type @cat chain.txt >> /etc/ssl/certs/ca-certificates.crt@ |
| 65 | 1 | Redmine Admin | @ @ |
| 66 | 40 | Redmine Admin | ## For user-wide installation make a copy of the @*.crt@ file above and place it in your home directory. Then append the DFN certiticate-chain to the cURL-certificate-store just like above. |
| 67 | A last step is needed. Tell Git to use this newly edited certificate-store. |
||
| 68 | This can easily be done using @git config --global https.sslCAInfo /path/to/ca-certificates.crt@ |
||
| 69 | 1 | Redmine Admin | |
| 70 | 40 | Redmine Admin | --- |
| 71 | 1 | Redmine Admin | |
| 72 | 40 | Redmine Admin | Note: cURL provides an automatic extract of all root-certificated from Mozilla. This ca-file can be "downloaded here":http://curl.haxx.se/ca/cacert.pem. For more information about cURL certificates head over to "this page":http://curl.haxx.se/docs/caextract.html |
| 73 | 1 | Redmine Admin | |
| 74 | 40 | Redmine Admin | --- |
| 75 | 1 | Redmine Admin | |
| 76 | 40 | Redmine Admin | @ @ |
| 77 | @ @ |
||
| 78 | 1 | Redmine Admin | |
| 79 | 40 | Redmine Admin | h2. "Found an error or mistake? Missing some information? Create a new issue!":https://scm.in.tu-clausthal.de/projects/redmine-git-svn-help/issues/new |