Resolve SSL certificate error with Git » History » Version 53
Redmine Admin, 09/15/2014 12:02 PM
1 | 42 | Redmine Admin | h1. Resolve SSL certificate error with Git |
---|---|---|---|
2 | 1 | Redmine Admin | |
3 | |||
4 | 40 | Redmine Admin | Git uses cURL internally for transfering files. Unfortunately cURL uses its own certificate-store |
5 | 49 | Redmine Admin | and the certificate-chain used here (Telekom-CA-->DFN-CA-->TU-Clausthal) isn't included by default. |
6 | 1 | Redmine Admin | |
7 | 40 | Redmine Admin | Now, when you try to access a Git-repository you will get an error similar to this: |
8 | 28 | Redmine Admin | Windows |
9 | 1 | Redmine Admin | <pre> |
10 | 31 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
11 | 39 | Redmine Admin | Cloning into 'testgit'... |
12 | 29 | Redmine Admin | fatal: unable to access 'https://scm.in.tu-clausthal.de/git/testgit/': |
13 | SSL certificate problem: unable to get local issuer certificate |
||
14 | 28 | Redmine Admin | </pre> |
15 | |||
16 | Linux |
||
17 | <pre> |
||
18 | 1 | Redmine Admin | git clone https://scm.in.tu-clausthal.de/git/testgit |
19 | Cloning into 'testgit'... |
||
20 | 12 | Redmine Admin | error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt |
21 | CRLfile: none while accessing https://scm.in.tu-clausthal.de/git/testgit/info/refs |
||
22 | 1 | Redmine Admin | </pre> |
23 | |||
24 | 30 | Redmine Admin | This is because by default cURL does not know the used certificate chain and rejects the GIT operation, which is a good thing to do so. |
25 | The solution is to tell Git/cURL about this chain. |
||
26 | 37 | Redmine Admin | @ @ |
27 | 45 | Redmine Admin | # [[Resolve SSL certificate error with Git#the good and secure method|the good and secure method]] which requires to install the certificate chain used here. |
28 | 49 | Redmine Admin | # the bad and insecure method which is based on the fact that GIT/cURL bypasses the SSL certificate verification. The bad and insecure method allows a man-in-the-middle-attack and should NOT be used. *You have been warned! Don't even think about using it.* If you are really, really, really ... sure about what you going to to, follow [[the bad and insecure method]]. |
29 | 12 | Redmine Admin | |
30 | 1 | Redmine Admin | --- |
31 | 15 | Redmine Admin | |
32 | 14 | Redmine Admin | |
33 | 45 | Redmine Admin | h2(#the good and secure method). The good and secure method to use Git over HTTPS |
34 | 12 | Redmine Admin | |
35 | 53 | Redmine Admin | Git uses cURL for transfering files. Unfortunately the root certificate of the certificate chain used here at the "Clausthal University of Technologoy":http://www.tu-clausthal.de is not included in the default cURL installation. ("See this page for further information about TU Clausthal-CA":https://doku.tu-clausthal.de/doku.php?id=ssl-zertifikate:start) |
36 | 40 | Redmine Admin | |
37 | 18 | Redmine Admin | The certificate chain looks like this: |
38 | |||
39 | 22 | Redmine Admin | !TUC-Certificate-Chain.png! |
40 | 18 | Redmine Admin | |
41 | 20 | Redmine Admin | <pre> |
42 | 1 | Redmine Admin | "Deutsche Telekom Root CA 2" |
43 | 21 | Redmine Admin | +--"DFV-Verein PCA Global -G01" |
44 | 52 | Redmine Admin | +--"TU Clausthal CA - G02" |
45 | 21 | Redmine Admin | +--"scm.in.tu-clausthal.de" |
46 | 20 | Redmine Admin | </pre> |
47 | 18 | Redmine Admin | |
48 | 17 | Redmine Admin | |
49 | 49 | Redmine Admin | In order to securely work with Git you need to import the DFN certificate chain into the cURL CA-Certificates. |
50 | cURL provides an extract of CA-Certs from Mozilla in which the DFC-CA-chain needs to be imported. |
||
51 | 25 | Redmine Admin | We will provide the step-by-step-manual for most operating systems. |
52 | 1 | Redmine Admin | |
53 | 40 | Redmine Admin | # Download the DFN-certificate-chain from the DFN (Deutsches Forschungs Netz) |
54 | 49 | Redmine Admin | Right-click on "Zertifikatkette anzeigen" and select "Save target at" |
55 | 52 | Redmine Admin | https://pki.pca.dfn.de/tu-clausthal-ca/pub/cacert/chain.txt |
56 | 50 | Redmine Admin | # Download the "cURL-CA-certs":http://curl.haxx.se/ca/cacert.pem from the "cURL Website":http://curl.haxx.se/docs/caextract.html. |
57 | 1 | Redmine Admin | # Append the DFN-CA-chain to cURL-CA-certs. |
58 | For the lasy ones: You can download the already merged attachment:Mozilla-DFN-Certificate-Chain.pem cURL-DFN-chain here. |
||
59 | 52 | Redmine Admin | # Place the file 'Mozilla-DFN-Certificate-Chain.pem' in your user home directory. |
60 | For example if your logon name is "johndoe" your user home directory would be most likely "C:\Users\johndoe" |
||
61 | 48 | Redmine Admin | # Create a new textfile '.gitconfig' - or edit the probably existing one in your home directory and add/edit the following two lines: |
62 | 52 | Redmine Admin | *%{background:yellow}*NOTE1: Do NOT FORGET to change the path to your home directory! Replace USERNAME in the example below with your logon name.%* |
63 | 48 | Redmine Admin | *NOTE2: Windows users must use a double-backslash '\\', UN*X users use a single forward slash '/' as directory separator. |
64 | <pre> |
||
65 | [http] |
||
66 | sslCAInfo = c:\\Users\\USERNAME\\Mozilla-DFN-Certificate-Chain.pem |
||
67 | </pre> |
||
68 | |||
69 | 49 | Redmine Admin | That's all. Just run Git and it will work securely. |
70 | 40 | Redmine Admin | |
71 | |||
72 | |||
73 | 1 | Redmine Admin | |
74 | 40 | Redmine Admin | --- |
75 | 1 | Redmine Admin | |
76 | 40 | Redmine Admin | Note: cURL provides an automatic extract of all root-certificated from Mozilla. This ca-file can be "downloaded here":http://curl.haxx.se/ca/cacert.pem. For more information about cURL certificates head over to "this page":http://curl.haxx.se/docs/caextract.html |
77 | 1 | Redmine Admin | |
78 | 40 | Redmine Admin | --- |
79 | 1 | Redmine Admin | |
80 | 40 | Redmine Admin | @ @ |
81 | @ @ |
||
82 | 1 | Redmine Admin | |
83 | 40 | Redmine Admin | h2. "Found an error or mistake? Missing some information? Create a new issue!":https://scm.in.tu-clausthal.de/projects/redmine-git-svn-help/issues/new |