本文共 10219 字,大约阅读时间需要 34 分钟。
本文翻译自:
Using Git, is there a way to tell it to accept a self signed certificate? 使用Git,有没有办法告诉它接受自签名证书?
I am using an https server to host a git server but for now the certificate is self signed. 我正在使用https服务器托管git服务器,但目前证书是自签名的。
When I try to create the repo there for the first time: 当我第一次尝试在此处创建存储库时:
git push origin master -f
I get the error: 我收到错误:
error: Cannot access URL https://the server/git.aspx/PocketReferences/, return code 22fatal: git-http-push failed
参考:
Try http.sslCAPath or http.sslCAInfo . 尝试使用http.sslCAPath或http.sslCAInfo 。 gives some great examples. 提供了一些很好的例子。 This is the most secure solution to the question. 这是最安全的解决方案。
try passing -c to git with the proper config variable, or use : 尝试使用适当的config变量将-c传递给git ,或使用 :
git -c http.sslVerify=false clone https://example.com/path/to/git
If the repository is completely under your control, you can try: 如果存储库完全在您的控制之下,则可以尝试:
git config http.sslVerify false
Disabling TLS(/SSL) certificate verification globally is a terribly insecure practice. 全局禁用TLS(/ SSL)证书验证是一种非常不安全的做法。 Don't do it. 不要这样 Do not issue the above command with a --global modifier. 不要在上面的命令中使用--global修饰符。
There are quite a few SSL configuration options in git . git有很多SSL配置选项。 From the man page of git config : 在git config的手册页中:
http.sslVerify Whether to verify the SSL certificate when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_NO_VERIFY environment variable.http.sslCAInfo File containing the certificates to verify the peer with when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.http.sslCAPath Path containing files with the CA certificates to verify the peer with when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CAPATH environment variable.
A few other useful SSL configuration options: 其他一些有用的SSL配置选项:
http.sslCert File containing the SSL certificate when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_CERT environment variable.http.sslKey File containing the SSL private key when fetching or pushing over HTTPS. Can be overridden by the GIT_SSL_KEY environment variable.http.sslCertPasswordProtected Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will prompt the user, possibly many times, if the certificate or private key is encrypted. Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.
You can set GIT_SSL_NO_VERIFY to true : 您可以将GIT_SSL_NO_VERIFY设置为true :
GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git
or alternatively configure Git not to verify the connection on the command line: 或另选配置Git不在命令行上验证连接:
git -c http.sslVerify=false clone https://example.com/path/to/git
Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks . 请注意,如果您不验证SSL / TLS证书,则容易受到MitM攻击 。
I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. 我不是现有答案的[编辑:原始版本]的忠实拥护者,因为禁用安全检查应该是不得已的方法,而不是第一个提供的解决方案。 Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. 即使没有某些其他验证方法也无法信任首次签收的自签名证书,但将证书用于后续git操作至少会大大降低仅在下载证书后才发生的攻击的难度。 In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. 换句话说,如果您下载的证书是真实的,那么从那时起您就可以了。 In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point . 相反,如果你简单地禁用验证,那么你敞开,以在任何时候任何中间人攻击的。
To give a specific example: the famous repository provides . 举一个具体的例子:著名的存储库提供 。 I can download that file, place it somewhere like /etc/ssl/certs , and then do: 我可以下载该文件,将其放在/etc/ssl/certs ,然后执行以下操作:
# Initial cloneGIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \ git clone https://repo.or.cz/org-mode.git# Ensure all future interactions with origin remote also workcd org-modegit config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
Note that using local git config here (ie without --global ) means that this self-signed certificate is only trusted for this particular repository, which is nice. 请注意,在此处使用本地git config (即不使用--global )意味着仅该特定存储库信任此自签名证书,这很好。 It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised. 它比使用GIT_SSL_CAPATH更好,因为它消除了git通过不同的证书颁发机构进行验证的风险,这可能会受到威胁。
I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. 我一直遇到这个问题,因此编写了一个脚本来从服务器下载自签名证书并将其安装到〜/ .gitcerts,然后更新git-config指向这些证书。 It is stored in global config, so you only need to run it once per remote. 它存储在全局配置中,因此每个远程只需要运行一次。
NEVER disable all SSL verification! 切勿禁用所有SSL验证!
This creates a bad security culture. 这造成了不良的安全文化。 Don't be that person. 不要做那个人。
The config keys you are after are: 您需要的配置键是:
These are for configuring host certificates you trust 这些用于配置您信任的主机证书
These are for configuring YOUR certificate to respond to SSL challenges. 这些用于配置您的证书以响应SSL挑战。
Selectively apply the above settings to specific hosts. 有选择地将上述设置应用于特定主机。
.gitconfig for Self-Signed Certificate Authorities 自签名证书颁发机构的全局.gitconfig For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify . 就我自己和我的同事而言,这就是我们如何在不禁用sslVerify情况下使自签名证书起作用的sslVerify 。 to using git config --global -e add these: 以使用git config --global -e添加以下内容:
# Specify the scheme and host as a 'context' that only these settings apply# Must use Git v1.8.5+ for these contexts to work[credential "https://your.domain.com"] username = user.name # Uncomment the credential helper that applies to your platform # Windows # helper = manager # OSX # helper = osxkeychain # Linux (in-memory credential helper) # helper = cache # Linux (permanent storage credential helper) # https://askubuntu.com/a/776335/491772# Specify the scheme and host as a 'context' that only these settings apply # Must use Git v1.8.5+ for these contexts to work[http "https://your.domain.com"] ################################## # Self Signed Server Certificate # ################################## # MUST be PEM format # Some situations require both the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crt sslCAPath = /path/to/selfCA/ sslVerify = true ########################################### # Private Key and Certificate information # ########################################### # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it. sslCert = /path/to/privatekey/myprivatecert.pem # Even if your PEM file is password protected, set this to false. # Setting this to true always asks for a password even if you don't have one. # When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0
References: 参考文献:
git clone -ing git clone -ing时指定配置 If you need to apply it on a per repo basis, the documentation tells you to just run git config --local in your repo directory. 如果您需要在每个回购基础上应用它,文档会告诉您只需在回购目录中运行git config --local 。 Well that's not useful when you haven't got the repo cloned locally yet now is it? 那么,当您还没有在本地克隆存储库时,这没有用吗?
You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones... 您可以通过如上所述设置全局配置来执行global- global -> local hokey-pokey,然后在克隆后将这些设置复制到本地repo配置中。
OR what you can do is that get applied to the target repo once it is cloned. 或者,您可以做的是中该到目标存储库后应用。
# Declare variables to make clone command less verbose OUR_CA_PATH=/path/to/selfCA/OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crtMY_PEM_FILE=/path/to/privatekey/myprivatecert.pemSELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
EDIT: See 's that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner 编辑:请参阅的 ,该警告指出了有关从2.14.x / 2.15到此衬垫的特定git版本的绝对和相对路径的警告
git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/
unable to load client key CentOS unable to load client key If you are trying this on CentOS and your .pem file is giving you 如果您在CentOS上尝试此操作,并且.pem文件给您
unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"
Then you will want about how curl uses NSS instead of Open SSL. 然后,您将需要 ,以了解curl如何使用NSS而不是Open SSL。
And you'll like want to : 而且您想要 :
git clone http://github.com/curl/curl.git curl/cd curl/# Need these for ./buildconfyum install autoconf automake libtool m4 nroff perl -y#Need these for ./configureyum install openssl-devel openldap-devel libssh2-devel -y./buildconfsu # Switch to super user to install into /usr/bin/curl./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/makemake install
restart computer since libcurl is still in memory as a shared library 重新启动计算机,因为libcurl仍作为共享库在内存中
Related : 相关 :
转载地址:http://nncnb.baihongyu.com/