git 添加自签名 SSL 证书而不禁用授权签名证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23807313/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Adding self-signed SSL certificate without disabling authority-signed ones
提问by Michael Ivko
I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:
我有一个使用自签名证书通过 https 工作的公司 git 服务器。本地克隆包含两个遥控器——一个指向那个服务器,另一个指向 github。默认情况下,从原点拉取失败:
$ git pull
fatal: unable to access 'https://[email protected]/git/fizzbuzz.git/': SSL certificate problem: self signed certificate
The github remote works fine.
github 遥控器工作正常。
There are two often-suggested solutions:
有两种经常建议的解决方案:
git config http.sslVerify false
which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:
这是一个坏主意,建议配置 Git 以接受特定 https 远程的特定自签名服务器证书:
git config http.sslCAInfo <downloaded certificate>.pem
which fixes pulling from origin, but break the github remote:
它修复了从原点拉取,但破坏了 github 远程:
$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate
How to make pulling from the corporate server work without breaking pulling from github?
如何在不中断从 github 拉取的情况下从公司服务器拉取工作?
回答by VonC
If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).
如果您使用的是 Git 1.8.5+(2013 年 8 月),您可以为每个 URL(!) 指定 http 指令。
In your case:
在你的情况下:
git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false
That would disable SSL verification only for code.example.com, not for other URLs.
这将仅针对 禁用 SSL 验证code.example.com,而不会针对其他 URL。
Or:
或者:
git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem
Same idea: sslCAInfowould point to <downloaded certificate>.pemonly for code.example.comURLs.
相同的想法:仅sslCAInfo指向URL。<downloaded certificate>.pemcode.example.com
It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.
可以将您的证书添加到 Git 系统证书存储中,使用git-for-windows将在C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
但是,这不是最佳实践,除非您必须分发带有内部证书的 Git 发行版。
回答by super_kamil
As of v2.5.0 of Git for Windows (git-for-windows.github.io), the installed certificate file has moved to "C:\Program Files (x86)\Git\mingw32\ssl\certs\ca-bundle.crt". You have to add your certs into this file.
从 Git for Windows (git-for-windows.github.io) v2.5.0 开始,已安装的证书文件已移至“C:\Program Files (x86)\Git\mingw32\ssl\certs\ca-bundle。 crt”。您必须将您的证书添加到此文件中。
