To permanently accept a specific certificate

永久接受特定证书

Try http.sslCAPathor http.sslCAInfo. Adam Spiers's answergives some great examples. This is the most secure solution to the question.

尝试http.sslCAPath或http.sslCAInfo。亚当斯皮尔斯的回答给出了一些很好的例子。这是该问题最安全的解决方案。

To disable TLS/SSL verification for a single git command

为单个 git 命令禁用 TLS/SSL 验证

try passing -cto gitwith the proper config variable, or use Flow's answer:

尝试使用正确的配置变量传递-c给git，或使用Flow 的答案：

git -c http.sslVerify=false clone https://example.com/path/to/git

To disable SSL verification for a specific repository

禁用特定存储库的 SSL 验证

If the repository is completely under your control, you can try:

如果存储库完全在您的控制之下，您可以尝试：

git config --global http.sslVerify false

There are quite a few SSL configuration options in git. From the man page of git config:

中有很多 SSL 配置选项git。从手册页git config：

http.sslVerify
    Whether to verify the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_NO_VERIFY environment variable.

http.sslCAInfo
    File containing the certificates to verify the peer with when fetching or pushing
    over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.

http.sslCAPath
    Path containing files with the CA certificates to verify the peer with when
    fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CAPATH environment variable.

A few other useful SSL configuration options:

其他一些有用的 SSL 配置选项：

http.sslCert
    File containing the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CERT environment variable.

http.sslKey
    File containing the SSL private key when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_KEY environment variable.

http.sslCertPasswordProtected
    Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
    prompt the user, possibly many times, if the certificate or private key is encrypted.
    Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.

You can set GIT_SSL_NO_VERIFYto true:

您可以设置GIT_SSL_NO_VERIFY为true：

GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git

or alternatively configure Git not to verify the connection on the command line:

或者配置 Git 不验证命令行上的连接：

git -c http.sslVerify=false clone https://example.com/path/to/git

Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks.

请注意，如果您不验证 SSL/TLS 证书，那么您很容易受到中间人攻击。

I'm not a huge fan of the [EDIT: original versions of the]existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent gitoperations at least makes life a lot harder for attacks which only occur afteryou have downloaded the certificate. In other words, if the certificate you downloaded isgenuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

我不是[EDIT: original versions of the]现有答案的忠实粉丝，因为禁用安全检查应该是最后的手段，而不是提供的第一个解决方案。即使在没有其他验证方法的情况下，您在第一次收到自签名证书时就无法信任，但在后续git操作中使用该证书至少会使仅在您下载证书后发生的攻击更加困难。换句话说，如果您下载的证书是真实的，那么从那时起您就可以了。相比之下，如果您只是禁用验证，那么您在任何时候都会受到任何类型的中间人攻击。

To give a specific example: the famous repo.or.czrepository provides a self-signed certificate. I can download that file, place it somewhere like /etc/ssl/certs, and then do:

举一个具体的例子：著名的repo.or.cz存储库提供了一个自签名证书。我可以下载那个文件，把它放在像 一样的地方/etc/ssl/certs，然后做：

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

Note that using local git confighere (i.e. without --global) means that this self-signed certificate is only trusted for this particular repository, which is nice. It's also nicer than using GIT_SSL_CAPATHsince it eliminates the risk of gitdoing the verification via a different Certificate Authority which could potentially be compromised.

请注意，git config在此处使用 local （即没有--global）意味着此自签名证书仅受此特定存储库信任，这很好。它也比使用更好，GIT_SSL_CAPATH因为它消除了git通过不同的证书颁发机构进行验证的风险，这可能会受到损害。

Git Self-Signed Certificate Configuration

Git自签名证书配置

tl;dr

tl;博士

NEVER disable all SSL verification!

This creates a bad security culture. Don't be that person.

切勿禁用所有 SSL 验证！

这会造成不良的安全文化。不要成为那种人。

The config keys you are after are:

您所追求的配置键是：

• http.sslverify- Always true. See above note.

• http.sslverify- 永远正确。见上注。

These are for configuring host certificates you trust

这些用于配置您信任的主机证书

• http.sslCAPath
• http.sslCAInfo

• http.sslCAPath
• http.sslCAInfo

These are for configuring YOUR certificate to respond to SSL challenges.

这些用于配置您的证书以响应 SSL 挑战。

• http.sslCert
• http.sslCertPasswordProtected

• http.sslCert
• http.sslCertPasswordProtected

Selectively apply the above settings to specific hosts.

有选择地将上述设置应用于特定主机。

• http.<url>.*

• http.<url>.*

Global .gitconfigfor Self-Signed Certificate Authorities

全球.gitconfig自签名证书颁发机构

For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify. Edit your .gitconfigto using git config --global -eadd these:

为了我自己和我的同事，这里是我们如何设法使自签名证书在不禁用sslVerify. 编辑您.gitconfig使用git config --global -e添加这些：

# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
  username = user.name

  # Uncomment the credential helper that applies to your platform
  # Windows
  # helper = manager

  # OSX
  # helper = osxkeychain

  # Linux (in-memory credential helper)
  # helper = cache

  # Linux (permanent storage credential helper)
  # https://askubuntu.com/a/776335/491772

# Specify the scheme and host as a 'context' that only these settings apply 
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
  ##################################
  # Self Signed Server Certificate #
  ##################################

  # MUST be PEM format
  # Some situations require both the CAPath AND CAInfo 
  sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
  sslCAPath = /path/to/selfCA/
  sslVerify = true

  ###########################################
  # Private Key and Certificate information #
  ###########################################

  # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, 
  # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
  sslCert = /path/to/privatekey/myprivatecert.pem

  # Even if your PEM file is password protected, set this to false.
  # Setting this to true always asks for a password even if you don't have one.
  # When you do have a password, even with this set to false it will prompt anyhow. 
  sslCertPasswordProtected = 0

References:

参考：

• Git Credentials
• Git Credential Store
• Using Gnome Keyring as credential store
• Git Config http.<url>.* Supported from Git v1.8.5

• Git 凭证
• Git 凭证存储
• 使用 Gnome Keyring 作为凭证​​存储
• Git 配置 http.<url>.* 从 Git v1.8.5 支持

Specify config when git clone-ing

git clone-ing时指定配置

If you need to apply it on a per repo basis, the documentation tells you to just run git config --localin your repo directory. Well that's not useful when you haven't got the repo cloned locally yet now is it?

如果你需要在每个 repo 的基础上应用它，文档会告诉你只git config --local在你的 repo 目录中运行。好吧，当您还没有在本地克隆 repo 时，这没有用，是吗？

You can do the global -> localhokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones...

您可以global -> local通过如上所述设置全局配置来执行hokey-pokey，然后在克隆后将这些设置复制到本地存储库配置...

OR what you can do is specify config commands at git clonethat get applied to the target repo once it is cloned.

或者您可以做的是指定配置命令，git clone一旦克隆就应用于目标存储库。

# Declare variables to make clone command less verbose     
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"

# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/

One Liner

一个班轮

EDIT: See VonC's answerthat points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner

编辑：请参阅VonC的回答，该回答指出了从 2.14.x/2.15 到这一行的特定 git 版本的绝对和相对路径的警告

git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/

CentOS unable to load client key

CentOS unable to load client key

If you are trying this on CentOS and your .pemfile is giving you

如果你在 CentOS 上尝试这个并且你的.pem文件给了你

unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"

Then you will want this StackOverflow answerabout how curluses NSS instead of Open SSL.

然后你会想要这个关于如何curl使用 NSS 而不是 Open SSL 的StackOverflow 答案。

And you'll like want to rebuild curlfrom source:

你会喜欢从源代码重建curl：

git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y

./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install

restart computer since libcurl is still in memory as a shared library

重新启动计算机，因为 libcurl 作为共享库仍在内存中

Python, pip and conda

Python、pip 和 conda

Related: How to add a custom CA Root certificate to the CA Store used by pip in Windows?

相关：如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store？

I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. It is stored in global config, so you only need to run it once per remote.

我一直遇到这个问题，所以写了一个脚本从服务器下载自签名证书并将其安装到 ~/.gitcerts，然后更新 git-config 以指向这些证书。它存储在全局配置中，因此您只需为每个远程运行一次。

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh

This answer is excerpted from this articleauthored by Michael Kauffman.

此答案摘自Michael Kauffman 撰写的这篇文章。

Use Git for Windows with a corporate SSL certificate

使用带有企业 SSL 证书的 Windows 版 Git

Issue:

问题：

If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:

如果您拥有企业 SSL 证书并想从控制台或 VSCode 克隆您的存储库，则会收到以下错误：

fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/': SSL certificate problem: unable to get local issuer certificate

致命：无法访问“ https://myserver/tfs/DefaultCollection/_git/Proj/”：SSL 证书问题：无法获得本地颁发者证书

Solution:

解决方案：

1. Export the root self-signed Certificate to a file. You can do this from within your browser.

2. Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.

1. 将根自签名证书导出到文件。您可以在浏览器中执行此操作。

2. 在您的 git 文件夹中找到“ca-bundle.crt”文件（当前版本 C:\Program Files\Git\usr\ssl\certs 但过去已更改）。将文件复制到您的用户配置文件。使用 VSCode 等文本编辑器打开它，并将导出的证书内容添加到文件末尾。

Now we have to configure git to use the new file:

现在我们必须配置 git 以使用新文件：

git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

This will add the following entry to your .gitconfig file in the root of your user profile.

这会将以下条目添加到用户配置文件根目录中的 .gitconfig 文件中。

[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

To disable SSL verification for a specific repository If the repository is completely under your control, you can try:

禁用特定存储库的 SSL 验证 如果存储库完全在您的控制之下，您可以尝试：

 git config --global http.sslVerify false

Check your antivirus and firewall settings.

检查您的防病毒和防火墙设置。

From one day to the other, git did not work anymore. With what is described above, I found that Kaspersky puts a self-signed Anti-virus personal root certificate in the middle. I did not manage to let Git accept that certificate following the instructions above. I gave up on that. What works for me is to disable the feature to Scan encrypted connections.

从一天到另一天，git 不再工作了。通过上面的描述，我发现卡巴斯基在中间放了一个自签名的防病毒个人根证书。我没有按照上述说明让 Git 接受该证书。我放弃了。对我有用的是禁用扫描加密连接的功能。

1. Open Kaspersky
2. Settings > Additional > Network > Do not scan encrypted connections

1. 打开卡巴斯基
2. 设置 > 其他 > 网络 > 不扫描加密连接

After this, git works again with sslVerify enabled.

在此之后，git 在启用 sslVerify 的情况下再次工作。

Note. This is still not satisfying for me, because I would like to have that feature of my Anti-Virus active. In the advanced settings, Kaspersky shows a list of websites that will not work with that feature. Github is not listed as one of them. I will check it at the Kaspersky forum. There seem to be some topics, e.g. https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211

笔记。这对我来说仍然不令人满意，因为我想激活我的反病毒软件的那个功能。在高级设置中，卡巴斯基会显示无法使用该功能的网站列表。Github 没有被列为其中之一。我会在卡巴斯基论坛上查看。似乎有一些主题，例如 https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211

Be careful when you are using one liner using sslKey or sslCert, as in Josh Peak's answer:

当您使用 sslKey 或 sslCert 使用一个衬垫时要小心，如Josh Peak的回答：

git clone -c http.sslCAPath="/path/to/selfCA" \
  -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" \
  -c http.sslVerify=1 \
  -c http.sslCert="/path/to/privatekey/myprivatecert.pem" \
  -c http.sslCertPasswordProtected=0 \
https://mygit.server.com/projects/myproject.git myproject

Only Git 2.14.x/2.15 (Q3 2015) would be able to interpret a path like ~username/mykeycorrectly (while it still can interpret an absolute path like /path/to/privatekey).

只有 Git 2.14.x/2.15（2015 年第 3 季度）能够~username/mykey正确解释路径（而它仍然可以解释绝对路径，例如/path/to/privatekey）。

See commit 8d15496(20 Jul 2017) by Junio C Hamano (gitster).
Helped-by: Charles Bailey (hashpling).
^{(Merged by Junio C Hamano -- gitster--in commit 17b1e1d, 11 Aug 2017)}

请参阅Junio C Hamano( ) 的提交 8d15496（2017 年 7 月 20 日）。 帮助者：查尔斯·贝利 ( )。^{（由Junio C Hamano合并-- --在commit 17b1e1d，2017 年 8 月 11 日）}gitster
hashpling
gitster

http.c: http.sslcertand http.sslkeyare both pathnames

Back when the modern http_options() codepath was created to parse various http.* options at 29508e1("Isolate shared HTTP request functionality", 2005-11-18, Git 0.99.9k), and then later was corrected for interation between the multiple configuration files in 7059cd9("http_init(): Fix config file parsing", 2009-03-09, Git 1.6.3-rc0), we parsed configuration variables like http.sslkey, http.sslcertas plain vanilla strings, because git_config_pathname()that understands "~[username]/" prefix did not exist.

Later, we converted some of them (namely, http.sslCAPathand http.sslCAInfo) to use the function, and added variables like http.cookeyFilehttp.pinnedpubkeyto use the function from the beginning. Because of that, these variables all understand "~[username]/" prefix.

Make the remaining two variables, http.sslcertand http.sslkey, also aware of the convention, as they are both clearly pathnames to files.

http.c:http.sslcert和http.sslkey都是路径名

回到当现代http_options（）代码路径的建立是为了解析各种HTTP。*在选项29508e1（“分离物共享HTTP请求的功能”，2005-11-18，GIT中0.99.9k），然后后来被用于所述多个之间互为作用校正在配置文件中7059cd9（“ http_init()：修复配置文件解析”，2009-03-09，Git的1.6.3-RC0），我们解析配置变量一样http.sslkey，http.sslcert作为普通的香草字符串，因为git_config_pathname()能够理解‘ ~[username]/’前缀是不存在的。

后来，我们将其中的一些（即，http.sslCAPath和http.sslCAInfo）转换为使用该函数，并http.cookeyFilehttp.pinnedpubkey从一开始就添加了类似使用该函数的变量。因此，这些变量都理解“ ~[username]/”前缀。

使剩下的两个变量http.sslcert和http.sslkey，也知道约定，因为它们都是文件的明确路径名。

Using 64bit version of Git on Windows, just add the self signed CA certificate into these files :

在 Windows 上使用 64 位版本的 Git，只需将自签名 CA 证书添加到这些文件中：

• C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
• C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.trust.crt

• C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
• C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.trust.crt

If it is just a server self signed certificate add it into

如果它只是一个服务器自签名证书，请将其添加到

• C:\Program Files\Git\mingw64\ssl\cert.pem

• C:\Program Files\Git\mingw64\ssl\cert.pem