Resolve SSL certificate error with Git » History » Revision 51
Revision 50 (Redmine Admin, 09/05/2014 07:01 PM) → Revision 51/54 (Redmine Admin, 09/05/2014 07:02 PM)
h1. Resolve SSL certificate error with Git
Git uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store
and the certificate-chain used here (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default.
Now, when you try to access a Git-repository you will get an error similar to this:
Windows
<pre>
git clone https://scm.in.tu-clausthal.de/git/testgit
Cloning into 'testgit'...
fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/':
SSL certificate problem: unable to get local issuer certificate
</pre>
Linux
<pre>
git clone https://scm.in.tu-clausthal.de/git/testgit
Cloning into 'testgit'...
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs
</pre>
This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so.
The solution is to tell Git/cURL about this chain.
@ @
# [[Resolve SSL certificate error with Git#the good and secure method|the good and secure method]] which requires to install the certificate chain used here.
# the bad and insecure method which is based on the fact that GIT/cURL bypasses the SSL certificate verification. The bad and insecure method allows a man-in-the-middle-attack and should NOT be used. *You have been warned! Don't even think about using it.* If you are really, really, really ... sure about what you going to to, follow [[the bad and insecure method]].
---
h2(#the good and secure method). The good and secure method to use Git over HTTPS
Git uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Claustha-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start)
The certificate chain looks like this:
!TUC-Certificate-Chain.png!
<pre>
"Deutsche Telekom Root CA 2"
+--"DFV-Verein PCA Global -G01"
+--"TU Clausthal CA - G02"@
+--"scm.in.tu-clausthal.de"
</pre>
In order to securely work with Git you need to import the DFN certificate chain into the cURL CA-Certificates.
cURL provides an extract of CA-Certs from Mozilla in which the DFC-CA-chain needs to be imported.
We will provide the step-by-step-manual for most operating systems.
# Download the DFN-certificate-chain from the DFN (Deutsches Forschungs Netz)
Right-click on "Zertifikatkette anzeigen" and select "Save target at"
https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt
# Download the "cURL-CA-certs":http://curl.haxx.se/ca/cacert.pem from the "cURL Website":http://curl.haxx.se/docs/caextract.html.
# Append the DFN-CA-chain to cURL-CA-certs.
For the lasy ones: You can download the already merged attachment:Mozilla-DFN-Certificate-Chain.pem cURL-DFN-chain here.
# Place the file 'Mozilla-DFN-Certificate-Chain.pem' in your home directory.
# Create a new textfile '.gitconfig' - or edit the probably existing one in your home directory and add/edit the following two lines:
+_*NOTE: Do NOT FORGET to change the path to your home directory!*_+
*NOTE2: Windows users must use a double-backslash '\\', UN*X users use a single forward slash '/' as directory separator.
<pre>
[http]
sslCAInfo = c:\\Users\\USERNAME\\Mozilla-DFN-Certificate-Chain.pem
</pre>
That's all. Just run Git and it will work securely.
---
Note: cURL provides an automatic extract of all root-certificated from Mozilla. This ca-file can be "downloaded here":http://curl.haxx.se/ca/cacert.pem. For more information about cURL certificates head over to "this page":http://curl.haxx.se/docs/caextract.html
---
@ @
@ @
h2. "Found an error or mistake? Missing some information? Create a new issue!":https://scm.in.tu-clausthal.de/projects/redmine-git-svn-help/issues/new