ChatGPT解决这个技术问题 Extra ChatGPT

How can I make git accept a self signed certificate?

Using Git, is there a way to tell it to accept a self signed certificate?

I am using an https server to host a git server but for now the certificate is self signed.

When I try to create the repo there for the first time:

git push origin master -f

I get the error:

error: Cannot access URL     
https://the server/git.aspx/PocketReferences/, return code 22

fatal: git-http-push failed
on OSX/macintosh, it seems like git won't use the sslcainfo option. if you can successfully use curl --cacert to pull your repo path but git isn't working, you should add the certificate to the mysterious OSX Keychain program. more here superuser.com/questions/605900/…
f15ijp.com/2012/08/… one of the best solution which I found
An alternate solution is to use the git protocol (over ssh) instead of https
I had the same problem - but when i logged into a different github account (through my work email authorized on my work laptop) - then I could push to remote git without any SSL related issues

J
Josiah

To permanently accept a specific certificate

Try http.sslCAPath or http.sslCAInfo. Adam Spiers's answer gives some great examples. This is the most secure solution to the question.

To disable TLS/SSL verification for a single git command

try passing -c to git with the proper config variable, or use Flow's answer:

git -c http.sslVerify=false clone https://example.com/path/to/git

To disable SSL verification for all repositories

It is possible to globally deactivate ssl verification. It is highly recommended to NOT do this but it is mentioned for completeness:

git config --global http.sslVerify false # Do NOT do this!

There are quite a few SSL configuration options in git. From the man page of git config:

http.sslVerify
    Whether to verify the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_NO_VERIFY environment variable.

http.sslCAInfo
    File containing the certificates to verify the peer with when fetching or pushing
    over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.

http.sslCAPath
    Path containing files with the CA certificates to verify the peer with when
    fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CAPATH environment variable.

A few other useful SSL configuration options:

http.sslCert
    File containing the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CERT environment variable.

http.sslKey
    File containing the SSL private key when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_KEY environment variable.

http.sslCertPasswordProtected
    Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
    prompt the user, possibly many times, if the certificate or private key is encrypted.
    Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.

You should never globally disable TLS(/SSL) certificate verification.
@Flow -- I completely concur. I've edited this (now quite old) answer to be more polemical about disabling TLS/SSL cert verification.
@Flow If we are in a work environment where our employer is the MITM, what alternative is there to globally disabling TLS/SSL?
As Steven Vascellaro pointed out: if the only way out from a company network is the companies proxy the certificates that have to be dealt with are the certificates of the company and for the protection against MITMs has that proxy to care for. So in that case git config --global http.sslVerify false is no security issue.
Why not use git config --local http.sslVerify false for the affected Git project?
M
Maarten Bodewes

You can set GIT_SSL_NO_VERIFY to true:

GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git

or alternatively configure Git not to verify the connection on the command line:

git -c http.sslVerify=false clone https://example.com/path/to/git

Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks.


@SkylarSaveland Note that git -c http.sslVerify=false <gitSubCommand> can also work through intermediaries.
this: git config http.sslVerify false, work to me.. thanks
Answer describes only the least secure option.
A
Adam Spiers

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

To give a specific example: the famous repo.or.cz repository provides a self-signed certificate. I can download that file, place it somewhere like /etc/ssl/certs, and then do:

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

Note that using local git config here (i.e. without --global) means that this self-signed certificate is only trusted for this particular repository, which is nice. It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised.


Coincidentally, http.sslCAPath uses libcurl's ssl_capath logic. I think you could actually store any number of certs in the /etc/ssl/certs/ directory and it'd efficiently sort out everything you need. I haven't tested this, mind you, but it might allow you go use a --global with a whole bunch of certs. Worth testing, however.
Considering the risks of disabling SSL verification altogether, and the fact the question was "how can I make git accept a self signed certificate?", this should be the accepted answer.
In an ideal world, there would be something like git config http.validCertFingerprint <base64-encoded-hash-of-certifcate>
@AdamSpiers: So repo.or.cz provides a self-signed certificate, but does GitHub?
From a fresh clone; this can be done in a single line: git clone --config http.sslCAInfo=<path_to_cert> https://repo.or.cz/org-mode.git (No need to call a 'git config' command after).
J
Josh Peak

Git Self-Signed Certificate Configuration

tl;dr

NEVER disable all SSL verification! This creates a bad security culture. Don't be that person.

The config keys you are after are:

http.sslverify - Always true. See above note.

These are for configuring host certificates you trust

http.sslCAPath

http.sslCAInfo

These are for configuring YOUR certificate to respond to SSL challenges.

http.sslCert

http.sslCertPasswordProtected

Selectively apply the above settings to specific hosts.

http..*

Global .gitconfig for Self-Signed Certificate Authorities

For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify. Edit your .gitconfig to using git config --global -e add these:

# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
  username = user.name

  # Uncomment the credential helper that applies to your platform
  # Windows
  # helper = manager

  # OSX
  # helper = osxkeychain

  # Linux (in-memory credential helper)
  # helper = cache

  # Linux (permanent storage credential helper)
  # https://askubuntu.com/a/776335/491772

# Specify the scheme and host as a 'context' that only these settings apply 
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
  ##################################
  # Self Signed Server Certificate #
  ##################################

  # MUST be PEM format
  # Some situations require both the CAPath AND CAInfo 
  sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
  sslCAPath = /path/to/selfCA/
  sslVerify = true

  ###########################################
  # Private Key and Certificate information #
  ###########################################

  # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, 
  # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
  sslCert = /path/to/privatekey/myprivatecert.pem

  # Even if your PEM file is password protected, set this to false.
  # Setting this to true always asks for a password even if you don't have one.
  # When you do have a password, even with this set to false it will prompt anyhow. 
  sslCertPasswordProtected = 0

References:

Git Credentials

Git Credential Store

Using Gnome Keyring as credential store

Git Config http..* Supported from Git v1.8.5

Specify config when git clone-ing

If you need to apply it on a per repo basis, the documentation tells you to just run git config --local in your repo directory. Well that's not useful when you haven't got the repo cloned locally yet now is it?

You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones...

OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned.

# Declare variables to make clone command less verbose     
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"

# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/

One Liner

EDIT: See VonC's answer that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner

git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/

CentOS unable to load client key

If you are trying this on CentOS and your .pem file is giving you

unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"

Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL.

And you'll like want to rebuild curl from source:

git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y

./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install

restart computer since libcurl is still in memory as a shared library

Python, pip and conda

Related: How to add a custom CA Root certificate to the CA Store used by pip in Windows?


I had to make sure the Self-Signed server certificate was in PEM format before Git would accept it. Also, some of the above answers indicate that one only needs to provide the path to the cert's folder using http.sslCAPath. In my case, I had to use http.sslCAInfo to specify the specific file. Doing allowed Git to connect to our private GitHub without disabling SSL validation.
@Zarepheth Thanks for that information. I ran into the same issue requiring both CAPath and CAInfo. Since our CA Cert was PEM format I overlooked documenting it. I have updated the answer with these additions. Glad you were able to get connected securely.
This is probably the best long term "fix" answer if you are forced to use HTTPS to clone and can't just use SSH to bypass the certificate mess.
I was about to add this answer! Glad that someone else already discovered it.
A
AperioOculus

This answer is excerpted from this article authored by Michael Kauffman.

Use Git for Windows with a corporate SSL certificate

Issue:

If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:

fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate

Solution:

Export the root self-signed Certificate to a file. You can do this from within your browser. Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.

Now we have to configure git to use the new file:

git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

This will add the following entry to your .gitconfig file in the root of your user profile.

[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt


Thank you, I found this answer the easier and safer for Windows.
How to export certificate to a file from browser: medium.com/@menakajain/…
This answer helped me especially when you are working in a Company's Enterprise Network.
P
Palash Roy

It’s not a good practice to set http.sslVerify false. Instead we can use SSL certificate.

https://i.stack.imgur.com/UwOFc.png

https://i.stack.imgur.com/L9cpG.png

https://i.stack.imgur.com/CBmPV.png

Copy the content of cer file including –begin—and –end--.

git bash on build agent => git config –global http.sslcainfo “C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt” Go to this file and append the .cer content.

Thus, build agent can access the SSL certificate


Will it require any system restart, i appended and it still shows the same error as given in OP in git bash
Please try once with restarting the build agent.
C
Craig

I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. It is stored in global config, so you only need to run it once per remote.

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh


Nice, although it would be even nicer to have the option to use local config instead of global.
You could always fork it and remove the --global option ;-)
This is pretty great, does it come in batch?
F
Flaviu

Using 64bit version of Git on Windows, just add the self signed CA certificate into these files :

C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt

C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.trust.crt

If it is just a server self signed certificate add it into

C:\Program Files\Git\mingw64\ssl\cert.pem


This was the best way to deal with our company firewall that re-signs all HTTPS traffic. I just took the PEM formatted crt file of the firewall certificate as text and copy pasted it to ca-bundle and it works like a charm.
Followed this , but still the same error
V
VonC

Be careful when you are using one liner using sslKey or sslCert, as in Josh Peak's answer:

git clone -c http.sslCAPath="/path/to/selfCA" \
  -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" \
  -c http.sslVerify=1 \
  -c http.sslCert="/path/to/privatekey/myprivatecert.pem" \
  -c http.sslCertPasswordProtected=0 \
https://mygit.server.com/projects/myproject.git myproject

Only Git 2.14.x/2.15 (Q3 2015) would be able to interpret a path like ~username/mykey correctly (while it still can interpret an absolute path like /path/to/privatekey).

See commit 8d15496 (20 Jul 2017) by Junio C Hamano (gitster).
Helped-by: Charles Bailey (hashpling).
(Merged by Junio C Hamano -- gitster -- in commit 17b1e1d, 11 Aug 2017)

http.c: http.sslcert and http.sslkey are both pathnames Back when the modern http_options() codepath was created to parse various http.* options at 29508e1 ("Isolate shared HTTP request functionality", 2005-11-18, Git 0.99.9k), and then later was corrected for interation between the multiple configuration files in 7059cd9 ("http_init(): Fix config file parsing", 2009-03-09, Git 1.6.3-rc0), we parsed configuration variables like http.sslkey, http.sslcert as plain vanilla strings, because git_config_pathname() that understands "~[username]/" prefix did not exist. Later, we converted some of them (namely, http.sslCAPath and http.sslCAInfo) to use the function, and added variables like http.cookeyFile http.pinnedpubkey to use the function from the beginning. Because of that, these variables all understand "~[username]/" prefix. Make the remaining two variables, http.sslcert and http.sslkey, also aware of the convention, as they are both clearly pathnames to files.


H
Henk

Check your antivirus and firewall settings.

From one day to the other, git did not work anymore. With what is described above, I found that Kaspersky puts a self-signed Anti-virus personal root certificate in the middle. I did not manage to let Git accept that certificate following the instructions above. I gave up on that. What works for me is to disable the feature to Scan encrypted connections.

Open Kaspersky Settings > Additional > Network > Do not scan encrypted connections

After this, git works again with sslVerify enabled.

Note. This is still not satisfying for me, because I would like to have that feature of my Anti-Virus active. In the advanced settings, Kaspersky shows a list of websites that will not work with that feature. Github is not listed as one of them. I will check it at the Kaspersky forum. There seem to be some topics, e.g. https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211


w
wero026

On Windows this worked for me:

Add the content of your self signed certificate to the end of the ca-bundle file. Including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

The location of the ca-bundle file is usually C:\Program Files\Git\mingw64\ssl\certs

Afterwards, add the path of the ca-bundle file to the global git config. The following command does the trick: git config --global http.sslCAInfo "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt"

Remark: The Path depends on your local path of the ca-bundle file!


a
adamc

A note about the http.sslCAPath option: git will only detect certificate files in the given directory path if the OpenSSL c_rehash command has been run on the directory containing the certificate files. The c_rehash command will create symbolic links for each certificate where the name of the link is the hash value. For example:

$ cd /path/to/ssl/cert/directory

$ ls -al

  total 16
  drwxr-xr-x  3 user  staff    96 Oct 20 13:47 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

$ /usr/local/opt/openssl@1.1/bin/c_rehash ./

  Doing ./

$ ls -al

  total 16
  drwxr-xr-x  4 user  staff   128 Oct 20 13:58 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  lrwxr-xr-x  1 user  staff    10 Oct 20 13:58 f6dbf7a7.0 -> google.pem
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

Notice that the c_rehash command has created the following symbolic link: f6dbf7a7.0 -> google.pem.

You can also substitute the following command for the c_rehash utility, although note that the following command will only process *.pem files, while the c_rehash utility will process .pem, .crt, .cer, or .crl files:

for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done

If you now configure http.sslCAPath to the directory containing the above symbolic link, git will pick up the certificate file:

# contents of /etc/gitconfig
[http]
        sslCAPath = /path/to/ssl/cert/directory/

You can also configure http.sslCAPath by using an environment variable:

export GIT_SSL_CAPATH=/path/to/ssl/cert/directory/

l
love gupta

I use a windows machine and this article helped me. Basically I opened ca-bundle.crt in notepad and added chain certificates in it (all of them). This issue usually happens for company networks where we have middle men sitting between system and git repo. We need to export all of the certs in cert chain except leaf cert in base 64 format and add all of them to ca-bundle.crt and then configure git for this modified crt file.


The linked article solved it for me, thank you.
R
RahulMohan Kolakandy

In the .gitconfig file you can add the below given value to make the self signed cert acceptable

sslCAInfo = /home/XXXX/abc.crt


This is equivalent to the second step in Adam's answer
M
Manjuboyz

My answer may be late but it worked for me. It may help somebody.

I tried above mentioned steps and that didn't solved the issue.

try thisgit config --global http.sslVerify false


It is a very bad idea to use --global to disable sslVerify. This link can help explain a better way to go about this problem and why you shouldn't use --global. mattferderer.com/…
T
Tadej

I do it like this:

git init
git config --global http.sslVerify false
git clone https://myurl/myrepo.git

Don't use --global ! A lot of tutorials show --global but it's a very bad idea in general and for http.sslVerify in particular. As soon as you have more then one clone from different projects, companies, teams on the computer you can quickly run into trouble. For example user id and emails leaking from one project to the next can be quite embarrassing. And using --global on http.sslVerify can open you up to all sorts security issues. So: Don't use --global — unless you are fully aware of the side effects and are prepared to take the risk.
A
Atchutha rama reddy Karri

It works for me just run following command

git config --global http.sslVerify false

it will open a git credentials window give your credentials . for first time only it ask


This answer has already been posted multiple times.