推送到 Git 服务器时 SSL 证书无效
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19413537/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Invalid SSL certificate when pushing to Git server
提问by Justin
I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).
我在 Windows Server 上运行 Gitblit,并尝试将数据从网络上的另一台机器推送到存储库。我使用了 SSL 证书(不是自签名,但我认为由我的公司签名?不太确定它是如何工作的,但 Chrome、IE 等。看到它已通过身份验证)。
The server that runs Gitblit is named itscmand on the developer's desktop I am using this URL to push data via TortoiseGit:
运行 Gitblit 的服务器已命名itscm,在开发人员的桌面上,我使用此 URL 通过 TortoiseGit 推送数据:
git.exe push --progress "https://itscm:8234/git/TestRepo.git" master
However, I get this error:
但是,我收到此错误:
fatal: unable to access 'https://itscm:8234/git/TestRepo.git/': SSL certificate problem: self signed certificate in certificate chain
致命:无法访问“ https://itscm:8234/git/TestRepo.git/”:SSL 证书问题:证书链中的自签名证书
When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don't understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.
当我在 chrome 中访问该地址时,页面上出现 404,但我可以看到 URL 栏中的挂锁是绿色的。当我单击挂锁时,我看到身份已得到验证。我不明白我的浏览器如何认为这个证书有效,但是当我尝试通过 Git 向它推送数据时,它失败了。
回答by MrTux
Git for Windows has its own trust store of trusted certificates which is normally located in the file
Windows 版 Git 有自己的可信证书信任库,通常位于文件中
- Git for Windows <=1.9:
[Git installdir]\bin\curl-ca-bundle.crt(e.g.,C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt; configured by the keyhttp.sslCAinfoin[Git installdir]\etc\gitconfig). - Git for Windows >= 2.0:
[Git installdir]\mingwXX\ssl\certs\ca-bundle.crtwhereXXstands for32or64(e.g.,C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt; configured by the keyhttp.sslCAinfoin git config, e.g.C:\ProgramData\Git\config,C:\Program Files\Git\etcor your global/local config).
- GIT中的Windows <= 1.9:
[Git installdir]\bin\curl-ca-bundle.crt(例如,C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt;由键配置http.sslCAinfo中[Git installdir]\etc\gitconfig)。 - 适用于 Windows >= 2.0 的 Git:
[Git installdir]\mingwXX\ssl\certs\ca-bundle.crt其中XX代表32或64(例如,C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt; 由http.sslCAinfogit config 中的键配置,例如C:\ProgramData\Git\config,C:\Program Files\Git\etc或您的全局/本地配置)。
Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacksare easily possible - depending where this is set it applies for all new https connections).
禁用证书检查(例如,通过设置git config http.sslVerify false)不是一个好主意,并且可能非常危险(因为所有安全检查都被禁用并且中间人攻击很容易发生 - 取决于设置的位置,它适用于所有新的 https 连接)。
In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):
为了将证书(可能是自签名的一个或另一个根证书)添加到此信任库以自动信任它,您必须执行以下步骤(前五个步骤只是收集证书,这也可以使用您最喜欢的浏览器完成,但可能需要不同的任务):
- Open the URL of the site in Internet Explorer
- Click on the lock symbol in the local bar and choose "Show certificates" (or choose Properties of the site and click on "Certificates")
- (Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it
- Go to the second tab "Details"
- Click on "Save to file", choose "Base64-encoded X.509 (.CER)" and save it with a unique name (remember that name; a name w/o spaces is recommended).
Now you have several options
- Use a separate certificate trust store which only contains your just downloaded cert, by executing
git config --global http.sslCAinfo "[yourfilename]"in a cli shell in order to only use this certificate as the trust store. - Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute
git config --global http.sslCAinfo "[yourfilename]"in a cli shell in order to use this new trust store. - Update the system certificate file, by appending the content of your just saved file to
[path-to-git-trust-store-crt-file](e.g. bytype [yourfilename] >> [path-to-git-trust-store-crt-file]in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update
- Use a separate certificate trust store which only contains your just downloaded cert, by executing
- 在 Internet Explorer 中打开站点的 URL
- 单击本地栏中的锁定符号并选择“显示证书”(或选择站点的属性并单击“证书”)
- (可选)在证书链(第三个选项卡)上选择您要信任的证书并打开它
- 转到第二个选项卡“详细信息”
- 单击“保存到文件”,选择“Base64-encoded X.509 (.CER)”并使用唯一名称保存(记住该名称;建议使用不带空格的名称)。
现在你有几个选择
- 通过
git config --global http.sslCAinfo "[yourfilename]"在 cli shell 中执行,使用仅包含您刚刚下载的证书的单独证书信任库,以便仅将此证书用作信任库。 - 使用单独的证书信任库,其中包含您刚刚下载的证书和来自 git 信任库的所有证书,通过附加系统信任库文件(路径见上文)中的所有内容,然后
git config --global http.sslCAinfo "[yourfilename]"在 cli shell 中执行以使用此新信任店铺。 - 更新系统证书文件,方法是将刚刚保存的文件的内容附加到
[path-to-git-trust-store-crt-file](例如,type [yourfilename] >> [path-to-git-trust-store-crt-file]在以管理权限运行的 cli shell 中)或使用记事本(在桌面上复制 ca-bundle.crt 文件,附加下载的 .crt 文件,然后将其复制回来)。缺点:更改可能会在 git update 上被覆盖
- 通过
Done. Now, this certificate is in the trust store of Git for Windows.
完毕。现在,此证书位于 Git for Windows 的信任存储中。
回答by James Moger
TortoiseGit is probably not using the same truststore Chrome. I think Chrome uses the system store, Firefox uses it's own. I have no idea what TortoiseGit uses.
TortoiseGit 可能没有使用相同的信任库 Chrome。我认为 Chrome 使用系统存储,Firefox 使用它自己的。我不知道 TortoiseGit 使用什么。
On the client, if you set git config http.sslVerify falseyou may have more luck. You can also set this globally.
在客户端,如果你设置git config http.sslVerify false你可能会有更多的运气。您也可以全局设置。
回答by dan-iel
Here is what worked for me. Create a folder C:\GitCerts. Then download the Base64 .cerfile (follow the answer provided by MrTux) to this C:\GitCertsfolder.
这对我有用。创建一个文件夹C:\GitCerts。然后将Base64 .cer文件(按照MrTux提供的答案)下载到此C:\GitCerts文件夹。
- From command line run the following command:
git config --global http.sslCAinfo "C:\GitCerts\MyCert.cer" - Open the
MyCert.cerfile in Notepad and leave it open - Open the Git
ca-bundle.crtfile in another Notepad. Mine was in the locationC:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. - Verify the cert text in the
MyCert.cerfile is in theca-bundle.crtfile (it should be), if not just copy and paste all the text from MyCert.cer and append it at the bottom of the ca-bundle.crt file (make sure you leave all the other cert information in there).
- 从命令行运行以下命令:
git config --global http.sslCAinfo "C:\GitCerts\MyCert.cer" MyCert.cer在记事本中打开文件并保持打开状态ca-bundle.crt在另一个记事本中打开 Git文件。我在那个位置C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt。- 验证
MyCert.cer文件中的证书文本是否在ca-bundle.crt文件中(应该是),如果不是,则只需复制并粘贴 MyCert.cer 中的所有文本并将其附加到 ca-bundle.crt 文件的底部(确保保留所有那里的其他证书信息)。
-----BEGIN CERTIFICATE-----
-----开始认证-----
your cert info here
您的证书信息在这里
-----END CERTIFICATE-----
-----结束证书-----
- If you had to modify the ca-bundle.crt file then save it (you may have to save it to your Desktop and then copy and paste it back in to overwrite the
ca-bundle.crtfile) - Finally, based on the path of your
ca-bundle.crtfile run the following command:git config --global http.sslcainfo "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"
- 如果您必须修改 ca-bundle.crt 文件,然后保存它(您可能需要将其保存到桌面,然后将其复制并粘贴回以覆盖
ca-bundle.crt文件) - 最后,根据
ca-bundle.crt文件的路径运行以下命令:git config --global http.sslcainfo "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"
回答by The Gilbert Arenas Dagger
I experienced this error using GitHub and it seemingly came out of nowhere. I had done plenty of work on GitHub before.
我在使用 GitHub 时遇到了这个错误,它似乎无处不在。我之前在 GitHub 上做过很多工作。
Kaspersky anti-virus was the culprit!!
卡巴斯基杀毒软件是罪魁祸首!!
When I turned off my anti-virus protection (and waited a couple of minutes) I was able to push / pull from my github repo.
当我关闭我的防病毒保护(并等待几分钟)时,我能够从我的 github 存储库中推/拉。
My final solution was to locate a certificate from Kaspersky then add it to the Git for Windows trust store. The latter step is already detailed in the accepted answer, but for anyone else in a similar position I was able to locate the Kaspersky certificate by going to:
我的最终解决方案是从卡巴斯基找到一个证书,然后将其添加到 Git for Windows 信任存储中。已接受的答案中已经详细说明了后一步,但是对于处于类似位置的其他任何人,我可以通过以下方式找到卡巴斯基证书:
Settings > Additional > Network > Encrypted connections scanning - Advanced Settings > Install Certificate > Show Certificate > Details > Copy to File > Base-64 encoded X.509 (.cer)
设置 > 其他 > 网络 > 加密连接扫描 - 高级设置 > 安装证书 > 显示证书 > 详细信息 > 复制到文件 > Base-64 编码的 X.509 (.cer)
回答by Karthikeyan
I found one more answer for this issue :
我为这个问题找到了另一个答案:
$ git config http.sslVerify false
回答by Kiran
For those in a corporates, who get the self signed certificate error - below is an alternative.
对于那些在公司中获得自签名证书错误的人 - 以下是另一种选择。
In corporates, the same git server, that is accessible over https protocol, usuallywill also be accessible over ssh protocol.So choose the ssh option of server url and clone the repository as
在企业中,可以通过 https 协议访问的相同 git 服务器通常也可以通过 ssh 协议访问。因此,选择服务器 url 的 ssh 选项并将存储库克隆为
git clone user@server/project.git
git clone user@server/project.git
Of course, the public key( id_rsa.pub) from your ~\.sshfolder will have to added to server. This way you don't have add the https server certificate to your windows certificate store or mac keychain ( example).
当然,id_rsa.pub您~\.ssh文件夹中的公钥()必须添加到服务器。这样您就不必将 https 服务器证书添加到您的 Windows 证书存储或 mac 钥匙串(示例)。
