配置 Git 以接受特定 https 远程的特定自签名服务器证书

Question

提问by zwol

The sysadmin for a project I'm on has decided that SSH is "too much trouble"; instead, he has set up Git to be accessible via an https://URL (and username/password authentication). The server for this URL presents a self-signed certificate, so he advised everyone to turn off certificate validation. This does not strike me as a good setup, security-wise.

我参与的一个项目的系统管理员认为 SSH“太麻烦了”；相反，他将 Git 设置为可通过https://URL（以及用户名/密码身份验证）访问。该网址的服务器提供了自签名证书，因此他建议大家关闭证书验证。在安全方面，这并不让我觉得是一个好的设置。

Is it possible to tell Git that for remote X (or better, any remote in any repository that happens to begin with https://$SERVERNAME/) it is to accept a particular certificate, and onlythat certificate? Basically reduplicate SSH's server-key behavior.

是否可以告诉 Git，对于远程 X（或者更好的是，任何存储库中的任何远程以开头https://$SERVERNAME/），它接受特定证书，并且仅接受该证书？基本上重复 SSH 的服务器密钥行为。

Answer 1

回答by Jan Vlcinsky

Briefly:

简要地：

Get the self signed certificate
Put it into some (e.g. ~/git-certs/cert.pem) file
Set gitto trust this certificate using http.sslCAInfoparameter

获取自签名证书
将它放入一些（例如~/git-certs/cert.pem）文件中
设置git为使用http.sslCAInfo参数信任此证书

In more details:

更多详情：

Get self signed certificate of remote server

获取远程服务器的自签名证书

Assuming, the server URL is repos.sample.comand you want to access it over port 443.

假设服务器 URL 是repos.sample.com并且您想通过 port 访问它443。

There are multiple options, how to get it.

有多种选择，如何获得。

Get certificate using openssl

使用 openssl 获取证书

$ openssl s_client -connect repos.sample.com:443

Catch the output into a file cert.pemand delete all but part between (and including) -BEGIN CERTIFICATE-and -END CERTIFICATE-

将输出捕获到文件中cert.pem并删除（包括）-BEGIN CERTIFICATE-和-END CERTIFICATE-

Content of resulting file ~/git-certs/cert.pem may look like this:

结果文件 ~/git-certs/cert.pem 的内容可能如下所示：

Get certificate using your web browser

使用 Web 浏览器获取证书

I use Redmine with Git repositories and I access the same URL for web UI and for git command line access. This way, I had to add exception for that domain into my web browser.

我将 Redmine 与 Git 存储库一起使用，并且访问 Web UI 和 git 命令行访问的相同 URL。这样，我必须在我的 Web 浏览器中添加该域的例外。

Using Firefox, I went to Options -> Advanced -> Certificates -> View Certificates -> Servers, found there the selfsigned host, selected it and using Exportbutton I got exactly the same file, as created using openssl.

使用 Firefox，我去了Options -> Advanced -> Certificates -> View Certificates -> Servers，在那里找到自签名主机，选择它并使用Export按钮我得到了与使用openssl.

Note: I was a bit surprised, there is no name of the authority visibly mentioned. This is fine.

注意：我有点惊讶，没有明显提到的权威名称。这可以。

Having the trusted certificate in dedicated file

在专用文件中拥有受信任的证书

Previous steps shall result in having the certificate in some file. It does not matter, what file it is as long as it is visible to your git when accessing that domain. I used ~/git-certs/cert.pem

前面的步骤将导致在某个文件中有证书。没关系，它是什么文件，只要它在访问该域时对您的 git 可见即可。我用了~/git-certs/cert.pem

Note: If you need more trusted selfsigned certificates, put them into the same file:

注意：如果您需要更多可信的自签名证书，请将它们放入同一个文件中：

-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----

This shall work (but I tested it only with single certificate).

这应该有效（但我仅使用单个证书对其进行了测试）。

Configure git to trust this certificate

配置 git 以信任此证书

$ git config --global http.sslCAInfo /home/javl/git-certs/cert.pem

You may also try to do that system wide, using --systeminstead of --global.

您也可以尝试在系统范围内使用--system而不是--global.

And test it: You shall now be able communicating with your server without resorting to:

并测试它：您现在应该能够与您的服务器通信，而无需求助于：

$ git config --global http.sslVerify false #NO NEED TO USE THIS

If you already set your git to ignorance of ssl certificates, unset it:

如果您已经将 git 设置为不了解 ssl 证书，请取消设置：

$ git config --global --unset http.sslVerify

and you may also check, that you did it all correctly, without spelling errors:

你也可以检查一下，你做的一切是否正确，没有拼写错误：

$ git config --global --list

what should list all variables, you have set globally. (I mispelled http to htt).

什么应该列出所有变量，你已经全局设置了。（我将 http 拼错为 htt）。

Answer 2

回答by Chris Langston

OSX User adjustments.

OSX 用户调整。

Following the steps of the Accepted answer worked for me with a small addition when configuring on OSX.

在 OSX 上进行配置时，按照 Accepted 答案的步骤对我有用，但添加了一些小内容。

I put the cert.pemfile in a directory under my OSX logged in user and thus caused me to adjust the location for the trusted certificate.

我将cert.pem文件放在我的 OSX 登录用户下的目录中，因此导致我调整受信任证书的位置。

Configure git to trust this certificate:

配置 git 以信任此证书：

$ git config --global http.sslCAInfo $HOME/git-certs/cert.pem

配置 Git 以接受特定 https 远程的特定自签名服务器证书

提问by zwol

回答by Jan Vlcinsky

Get self signed certificate of remote server

获取远程服务器的自签名证书

Get certificate using openssl

使用 openssl 获取证书

Get certificate using your web browser

使用 Web 浏览器获取证书

Having the trusted certificate in dedicated file

在专用文件中拥有受信任的证书

Configure git to trust this certificate

配置 git 以信任此证书

回答by Chris Langston

相关推荐

最近更新

标签

配置 Git 以接受特定 https 远程的特定自签名服务器证书

提问by zwol

回答by Jan Vlcinsky

Get self signed certificate of remote server

获取远程服务器的自签名证书

Get certificate using openssl

使用 openssl 获取证书

Get certificate using your web browser

使用 Web 浏览器获取证书

Having the trusted certificate in dedicated file

在专用文件中拥有受信任的证书

Configure git to trust this certificate

配置 git 以信任此证书

回答by Chris Langston

相关推荐

从 git 中提取特定的提交/文件

git 如何使用多个 ssh 密钥

Git 错误：conq：存储库不存在

Git 从拉取请求中删除不需要的提交

相关推荐

最近更新

标签