SSL works with browser, wget, and curl, but fails with git

前端 未结 6 1717
北海茫月
北海茫月 2021-01-31 04:23

I have a website I am using to host redmine and several git repositories

This works perfectly for http, but I can\'t clone with https, i.e.

git clone htt         


        
相关标签:
6条回答
  • 2021-01-31 05:03

    The problem may be that you didn't configure correctly Apache

    You may have to add your server name to the Apache configuration file /etc/apache2/sites-enabled/default-ssl.conf, e.g.:

    ServerName demo.personalserver.com
    

    From: https://www.progclub.org/blog/2014/09/03/gnutls_handshake-failed-using-git/#comment-96924

    0 讨论(0)
  • 2021-01-31 05:06

    XCondE's answer will address the problem, but turning off security warnings always feels like a bad idea. If you're running on an ubuntu box, then the issue may be that the CA certificate for your web server isn't in the /etc/ssl/certs/ca-certificates.crt file. I ran into this with a git server hosted on a web server with a SSL certificate signed by www.incommon.org.

    You can add the intermediate certificate to your ca-certificates file, as follows:

    wget http://cert.incommon.org/InCommonServerCA.crt
    openssl x509 -inform DER -in InCommonServerCA.crt -out incommon.pem
    cat /etc/ssl/certs/ca-certificates.crt incommon.pem > ca-certs2.crt
    sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
    sudo cp ca-certs2.crt /etc/ssl/certs/ca-certificates.crt
    

    There's a good discussion of what's going on behind the scenes here: http://curl.haxx.se/docs/sslcerts.html

    0 讨论(0)
  • 2021-01-31 05:16

    It turns out that this was a gnuTLS issue. gnuTLS is order sensitive, while openssl is not. I re-ordered the certificates in my intermediate cert file and the problem went away

    0 讨论(0)
  • 2021-01-31 05:20

    git uses gnutls for this stuff, which requires the CA be specified. This can be done with per-respository with:

    git config http.sslcapath <path to CA directory>
    

    OR

    git config http.sslcainfo <path to CA cert>
    

    You can also specify --system or --global.

    0 讨论(0)
  • 2021-01-31 05:22

    I encountered this error with one of my Comodo PositiveSSL certificates and was able to fix it by changing the order of the intermediate certificates.

    After ordering the certificate, I was provided with the following files:

    • Root CA Certificate - AddTrustExternalCARoot.crt
    • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
    • PositiveSSL Wildcard Certificate - STAR_mydomain_com.crt

    Originally, the order of certificates in the .crt I was providing to Nginx was as follows:

    • PositiveSSL Wildcard Certificate - STAR_mydomain_com.crt
    • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt

    However, I reversed the order of the last two certificates and Git no longer throws verification errors.

    0 讨论(0)
  • 2021-01-31 05:22

    export GIT_SSL_NO_VERIFY=1

    From http://blog.breadncup.com/2011/06/09/skip-git-ssl-verification/

    WARNING: as some people mentioned, this disables verification, leaving you open to a sleuth of security issues. You shouldn't rely on it long-term but, in a pinch, it will get the job done.

    0 讨论(0)
提交回复
热议问题