如何在 cygwin(和一些 linux 发行版)上向 git 添加企业证书颁发机构 (CA)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26590439/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to add an enterprise certificate authority (CA) to git on cygwin (and some linux distros)
提问by Jason Pyeron
When fetching with git on Cygwin you get:
在 Cygwin 上使用 git 获取时,您会得到:
Fetching origin
fatal: unable to access 'https://.../...git': SSL certificate problem: self signed certificate in certificate chain
error: Could not fetch origin
The certificate was added to /etc/ssl/certs/ca-bundle.crtand other bundle files, but on the next Cygwin update the problem reappeared.
证书已添加到/etc/ssl/certs/ca-bundle.crt和其他捆绑文件中,但在下一次 Cygwin 更新中问题再次出现。
回答by Jason Pyeron
git-remote-httpswill read the following files for ca certificates:
git-remote-https将读取 ca 证书的以下文件:
/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificatespackage.
如果您编辑这些文件,则每次运行 Cygwin 安装程序并且ca-certificates包有更新时,它们都会被覆盖。
The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:
正确/正确的解决方案是将证书添加到拾取目录并运行拾取脚本 update-ca-trust:
curl -sL http://ca.pdinc.us > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust
The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:
ca-certificates 软件包的安装后脚本将在每次升级时自动重新运行 update-ca-trust 脚本。想要查询更多的信息:
man update-ca-trust
回答by David A. Wheeler
Simpler instructions:
更简单的说明:
Simply copy the file(s) with your enterprise's trusted certificates (e.g.,
.crtfiles) and copy them into the directory/etc/pki/ca-trust/source/anchors/.Run
update-ca-trust extract. This will generate various files to make everything work.
只需将带有企业可信证书的
.crt文件(例如文件)复制到目录中即可/etc/pki/ca-trust/source/anchors/。运行
update-ca-trust extract。这将生成各种文件以使一切正常。
You can add or remove files in the directory and re-run update-ca-trust extract.
您可以添加或删除目录中的文件并重新运行update-ca-trust extract.
NOTE: If your organization is one of the rare ones who use specialized certificates in the extended BEGIN TRUSTEDfile format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), there's a slight change in step 1. Basically, copy the certificates to the directory /etc/pki/ca-trust/source/instead. There's no harm in copying them to the "usual" location, and moving them later if the "usual" directory doesn't work.
注意:如果您的组织是少数使用扩展BEGIN TRUSTED文件格式(可能包含不信任/黑名单信任标志,或用于 TLS 以外的用途的信任标志)的专用证书的组织之一,则步骤 1 中会有一些细微的变化。基本上,/etc/pki/ca-trust/source/而是将证书复制到目录中。将它们复制到“通常”位置并在“通常”目录不起作用时稍后移动它们没有任何害处。
For more details, run man update-ca-trust.
有关更多详细信息,请运行man update-ca-trust。
