How can I make git accept a self signed certificate?
使用Git,有没有办法告诉它接受自签名证书?
我使用https服务器来托管git服务器但是现在证书是自签名的。
当我第一次尝试在那里创建回购时:
1 | git push origin master -f |
我收到错误:
1 2 3 4 | error: Cannot access URL https://the server/git.aspx/PocketReferences/, return code 22 fatal: git-http-push failed |
永久接受特定证书
尝试
禁用单个git命令的TLS / SSL验证
尝试使用正确的配置变量将
1 | git -c http.sslVerify=false clone https://example.com/path/to/git |
禁用特定存储库的SSL验证
如果存储库完全在您的控制之下,您可以尝试:
1 | git config http.sslVerify false |
全局禁用TLS(/ SSL)证书验证是一种非常不安全的做法。不要这样做。不要使用
1 2 3 4 5 6 7 8 9 10 11 12 | http.sslVerify Whether to verify the SSL certificate when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_NO_VERIFY environment variable. http.sslCAInfo File containing the certificates to verify the peer with when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable. http.sslCAPath Path containing files with the CA certificates to verify the peer with when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CAPATH environment variable. |
一些其他有用的SSL配置选项:
1 2 3 4 5 6 7 8 9 10 11 12 | http.sslCert File containing the SSL certificate when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CERT environment variable. http.sslKey File containing the SSL private key when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_KEY environment variable. http.sslCertPasswordProtected Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will prompt the user, possibly many times, if the certificate or private key is encrypted. Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable. |
您可以将
1 | GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git |
或者配置Git不要在命令行上验证连接:
1 | git -c http.sslVerify=false clone https://example.com/path/to/git |
请注意,如果您未验证SSL / TLS证书,则您很容易受到MitM攻击。
我不是[EDIT:现有答案的原始版本]的忠实粉丝,因为禁用安全检查应该是最后的手段,而不是第一个提供的解决方案。即使您在第一次收到时无法信任自签名证书而没有其他一些额外的验证方法,但使用证书进行后续
举一个具体的例子:着名的
1 2 3 4 5 6 7 | # Initial clone GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \ git clone https://repo.or.cz/org-mode.git # Ensure all future interactions with origin remote also work cd org-mode git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem |
请注意,在此处使用local
Git自签名证书配置
TL;博士
NEVER disable all SSL verification!
This creates a bad security culture. Don't be that person.
您所追求的配置键是:
-
http.sslverify - 总是如此。见上文说明。
这些用于配置您信任的主机证书
-
http.sslCAPath -
http.sslCAInfo
这些用于配置您的证书以响应SSL挑战。
-
http.sslCert -
http.sslCertPasswordProtected
有选择地将上述设置应用于特定主机。
-
http. .*
自签名证书颁发机构的全局
对于我自己和同事们来说,这里是我们如何设法让自签名证书在不禁用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | # Specify the scheme and host as a 'context' that only these settings apply # Must use Git v1.8.5+ for these contexts to work [credential"https://your.domain.com"] username = user.name # Uncomment the credential helper that applies to your platform # Windows # helper = manager # OSX # helper = osxkeychain # Linux (in-memory credential helper) # helper = cache # Linux (permanent storage credential helper) # https://askubuntu.com/a/776335/491772 # Specify the scheme and host as a 'context' that only these settings apply # Must use Git v1.8.5+ for these contexts to work [http"https://your.domain.com"] ################################## # Self Signed Server Certificate # ################################## # MUST be PEM format # Some situations require both the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crt sslCAPath = /path/to/selfCA/ sslVerify = true ########################################### # Private Key and Certificate information # ########################################### # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it. sslCert = /path/to/privatekey/myprivatecert.pem # Even if your PEM file is password protected, set this to false. # Setting this to true always asks for a password even if you don't have one. # When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0 |
参考文献:
- Git凭证
- Git Credential商店
- 使用Gnome Keyring作为凭证存储
-
Git Config http。
。* Git v1.8.5支持
如果您需要在每个repo的基础上应用它,文档会告诉您只需在repo目录中运行
您可以通过如上设置全局配置来执行
或者你可以做的是在
1 2 3 4 5 6 7 8 | # Declare variables to make clone command less verbose OUR_CA_PATH=/path/to/selfCA/ OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0" # With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos. git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/ |
一个班轮
编辑:请参阅VonC的答案,指出有关特定git版本从2.14.x / 2.15到这一个班轮的绝对路径和相对路径的警告
1 | git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/ |
CentOS
如果你在CentOS上尝试这个,你的
1 | unable to load client key:"-8178 (SEC_ERROR_BAD_KEY)" |
然后,您将需要此StackOverflow答案,了解
你想要从源代码重建
1 2 3 4 5 6 7 8 9 10 11 12 | git clone http://github.com/curl/curl.git curl/ cd curl/ # Need these for ./buildconf yum install autoconf automake libtool m4 nroff perl -y #Need these for ./configure yum install openssl-devel openldap-devel libssh2-devel -y ./buildconf su # Switch to super user to install into /usr/bin/curl ./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/ make make install |
重启计算机,因为libcurl仍然作为共享库在内存中
Python,pip和conda
相关:如何将自定义CA根证书添加到Windows中的pip使用的CA Store?
我一直遇到这个问题,所以编写了一个脚本从服务器下载自签名证书并将其安装到?/ .gitcerts,然后更新git-config指向这些证书。它存储在全局配置中,因此您只需要为每个远程运行一次。
https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh
这个答案摘自Michael Kauffman撰写的这篇文章。
使用Git for Windows和公司SSL证书
问题:
如果您拥有公司SSL证书并希望从控制台或VSCode克隆您的存储库,则会出现以下错误:
致命:无法访问'https:// myserver / tfs / DefaultCollection / _git / Proj /':SSL证书问题:无法获取本地颁发者证书
解:
将根自签名证书导出到文件。您可以在浏览器中执行此操作。
在git文件夹中找到"ca-bundle.crt"文件(当前版本C: Program Files Git usr ssl certs,但过去已更改)。将文件复制到您的用户配置文件。使用VSCode等文本编辑器打开它,并将导出的证书的内容添加到文件的末尾。
现在我们必须配置git来使用新文件:
这会将以下条目添加到用户配置文件根目录中的.gitconfig文件中。
sslCAInfo = C:/Users/
检查您的防病毒和防火墙设置。
从一天到另一天,git不再起作用了。通过以上描述,我发现卡巴斯基在中间放置了一个自签名的反病毒个人根证书。我没有按照上面的说明让Git接受该证书。我放弃了。对我有用的是禁用扫描加密连接的功能。
在此之后,git再次启用sslVerify。
注意。这对我来说仍然不能令人满意,因为我希望我的防病毒功能处于活动状态。在高级设置中,卡巴斯基显示了一个不适用于该功能的网站列表。 Github未被列为其中之一。我将在卡巴斯基论坛上查看。似乎有一些主题,例如
https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211
我的回答可能会迟到但对我有用。它可能对某人有所帮助。
我尝试了上面提到的步骤,但没有解决问题。
试试这个
在Windows上使用64位版本的Git,只需将自签名CA证书添加到这些文件中:
- C: Program Files Git mingw64 ssl certs ca-bundle.crt
- C: Program Files Git mingw64 ssl certs ca-bundle.trust.crt
如果只是服务器自签名证书,请将其添加到
- C: Program Files Git mingw64 ssl cert.pem
当您使用sslKey或sslCert使用一个衬垫时要小心,如Josh Peak的答案:
1 2 3 4 5 6 | git clone -c http.sslCAPath="/path/to/selfCA" \ -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" \ -c http.sslVerify=1 \ -c http.sslCert="/path/to/privatekey/myprivatecert.pem" \ -c http.sslCertPasswordProtected=0 \ https://mygit.server.com/projects/myproject.git myproject |
只有Git 2.14.x / 2.15(2015年第3季度)才能正确解释像
见Junio C Hamano(
帮助:Charles Bailey(
(Junio C Hamano合并 -
http.c :http.sslcert andhttp.sslkey are both pathnamesBack when the modern http_options() codepath was created to parse
various http.* options at 29508e1 ("Isolate shared HTTP request
functionality", 2005-11-18, Git 0.99.9k), and then later was corrected for
interation between the multiple configuration files in 7059cd9
("http_init() : Fix config file parsing", 2009-03-09, Git 1.6.3-rc0), we parsed
configuration variables likehttp.sslkey ,http.sslcert as plain
vanilla strings, becausegit_config_pathname() that understands
"~[username]/ " prefix did not exist.Later, we converted some of them (namely,
http.sslCAPath andhttp.sslCAInfo ) to use the function, and added variables likehttp.cookeyFile http.pinnedpubkey to use the function from the beginning. Because of that, these variables all understand"~[username]/ " prefix.Make the remaining two variables,
http.sslcert andhttp.sslkey , also
aware of the convention, as they are both clearly pathnames to
files.
在Windows上,这对我有用:
将自签名证书的内容添加到ca-bundle文件的末尾。包括----- BEGIN CERTIFICATE -----和----- END CERTIFICATE -----行
ca-bundle文件的位置通常是C: Program Files Git mingw64 ssl certs
然后,将ca-bundle文件的路径添加到全局git config。以下命令可以解决这个问题:
备注:路径取决于您的ca-bundle文件的本地路径!
我是这样做的:
1 2 3 | git init git config --global http.sslVerify false git clone https://myurl/myrepo.git |
在.gitconfig文件中,您可以添加以下给定值以使自签名证书可接受
sslCAInfo = /home/XXXX/abc.crt
我使用的是Windows机器,这篇文章帮助了我。基本上我在记事本中打开了ca-bundle.crt并在其中添加了链证书(所有这些)。这个问题通常发生在我们让中间人坐在系统和git repo之间的公司网络上。我们需要导出证书链中的所有证书,除了基本64格式的叶证书,并将它们全部添加到ca-bundle.crt,然后为这个修改过的crt文件配置git。