SSL 可用于浏览器、wget 和 curl,但无法用于 git
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7814423/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL works with browser, wget, and curl, but fails with git
提问by stokastic
I have a website I am using to host redmine and several git repositories
我有一个网站用于托管 redmine 和几个 git 存储库
This works perfectly for http, but I can't clone with https, i.e.
这对 http 非常有效,但我无法使用 https 进行克隆,即
git clone http://mysite.com/git/test.git
works fine, but
工作正常,但
git clone https://mysite.com/git/test.git
fails
失败
The strange thing is that https seems to work for everything else I have tested. If I open
奇怪的是,https 似乎适用于我测试过的所有其他内容。如果我打开
https://mysite.com/git/test.git
in a browser (tested in chrome and firefox), I get no errors or warnings. I can also
在浏览器中(在 chrome 和 firefox 中测试),我没有收到错误或警告。我还可以
curl https://mysite.com/git/test.git
wget https://mysite.com/git/test.git
both of which work with no complaints or warnings.
两者都没有投诉或警告。
Here is the verbose output from git:
这是 git 的详细输出:
$ GIT_CURL_VERBOSE=1 git clone https://[email protected]/test/test.git
Cloning into test...
Password:
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://user\
@mysite.com/test/test.git/info/refs
fatal: HTTP request failed
Here is the verbose output from curl, with the personal info changed:
这是 curl 的详细输出,个人信息已更改:
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to mysite.com (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=US; <... cut my certs info ...>
* start date: 2011-10-18 00:00:00 GMT
* expire date: 2013-10-17 23:59:59 GMT
* subjectAltName: mysite.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO High-Assurance Secure Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: mysite.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Oct 2011 21:39:54 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Last-Modified: Fri, 14 Oct 2011 03:20:01 GMT
< ETag: "8209c-87-4af39bb89ccac"
< Accept-Ranges: bytes
< Content-Length: 135
< Vary: Accept-Encoding
< Content-Type: text/html
< X-Pad: avoid browser bug
<
<p>Welcome to the mysite.com<p/>
* Connection #0 to host mysite.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
The only difference I can see is that git seems to be using an explicit CAfile while curl uses the whole directory? I'm new to ssl (at least on the admin side), so I'm not sure what this means or how I could configure git to work the same way as curl.
我能看到的唯一区别是 git 似乎使用显式 CAfile 而 curl 使用整个目录?我是 ssl 的新手(至少在管理方面),所以我不确定这意味着什么或者我如何配置 git 以与 curl 相同的方式工作。
I am using git 1.7.5.4 and apache 2.2.14 on Ubuntu 10.04. I've tried cloning from 3 different linux hosts (including another account on the server itself), and nothing works.
我在 Ubuntu 10.04 上使用 git 1.7.5.4 和 apache 2.2.14。我尝试从 3 个不同的 linux 主机(包括服务器本身的另一个帐户)进行克隆,但没有任何效果。
I've also used the openssl tool to verify my cert on the server:
我还使用了 openssl 工具来验证我在服务器上的证书:
$openssl verify -purpose sslserver -CAfile chain.crt signed.pem
signed.pem: OK
This may be related to the bug https://bugs.maemo.org/show_bug.cgi?id=4953but it seems different because I am not getting any warning or errors in any other program.
这可能与错误https://bugs.maemo.org/show_bug.cgi?id=4953有关,但它似乎不同,因为我没有在任何其他程序中收到任何警告或错误。
It may be worth mentioning that I am using gitolite and redmine_git_hostingusing smart http to do authentication over https. I don't think any of this is at fault though, because the problem exists even if I just stick an otherwise working bare repo in /var/www and access it directly. Also, git over ssh (with and without gitolite) works.
值得一提的是,我正在使用 gitolite 和redmine_git_hosting使用智能 http 通过 https 进行身份验证。不过,我不认为这有任何问题,因为即使我只是在 /var/www 中粘贴一个可以正常工作的裸仓库并直接访问它,问题仍然存在。此外,git over ssh(有和没有 gitolite)都有效。
Please let me know if you have any idea what might be wrong or if you'd like some more info. I'd really prefer to get ssl working properly, as opposed to forcing everyone to disable certificate checking in git, although that is a current workaround.
如果您知道可能有什么问题,或者您想了解更多信息,请告诉我。我真的更喜欢让 ssl 正常工作,而不是强迫每个人在 git 中禁用证书检查,尽管这是当前的解决方法。
Thanks for reading this long post!
感谢您阅读这篇长文!
采纳答案by stokastic
It turns out that this was a gnuTLS issue. gnuTLS is order sensitive, while openssl is not. I re-ordered the certificates in my intermediate cert file and the problem went away
事实证明,这是一个 gnuTLS 问题。gnuTLS 是顺序敏感的,而 openssl 不是。我在中间证书文件中重新订购了证书,问题就消失了
回答by Pete Clark
XCondE's answer will address the problem, but turning off security warnings always feels like a bad idea. If you're running on an ubuntu box, then the issue may be that the CA certificate for your web server isn't in the /etc/ssl/certs/ca-certificates.crt file. I ran into this with a git server hosted on a web server with a SSL certificate signed by www.incommon.org.
XCondE 的答案将解决这个问题,但关闭安全警告总是让人觉得是个坏主意。如果您在 ubuntu 机器上运行,那么问题可能是您的 Web 服务器的 CA 证书不在 /etc/ssl/certs/ca-certificates.crt 文件中。我使用托管在 Web 服务器上的 git 服务器遇到了这个问题,该服务器带有由 www.incommon.org 签名的 SSL 证书。
You can add the intermediate certificate to your ca-certificates file, as follows:
您可以将中间证书添加到您的 ca-certificates 文件中,如下所示:
wget http://cert.incommon.org/InCommonServerCA.crt
openssl x509 -inform DER -in InCommonServerCA.crt -out incommon.pem
cat /etc/ssl/certs/ca-certificates.crt incommon.pem > ca-certs2.crt
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
sudo cp ca-certs2.crt /etc/ssl/certs/ca-certificates.crt
There's a good discussion of what's going on behind the scenes here: http://curl.haxx.se/docs/sslcerts.html
这里有一个关于幕后发生的事情的很好的讨论:http: //curl.haxx.se/docs/sslcerts.html
回答by Nathan Osman
I encountered this error with one of my Comodo PositiveSSL certificates and was able to fix it by changing the order of the intermediate certificates.
我的 Comodo PositiveSSL 证书之一遇到了这个错误,并且能够通过更改中间证书的顺序来修复它。
After ordering the certificate, I was provided with the following files:
订购证书后,我收到了以下文件:
- Root CA Certificate - AddTrustExternalCARoot.crt
- Intermediate CA Certificate - COMODORSAAddTrustCA.crt
- Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
- PositiveSSL Wildcard Certificate - STAR_mydomain_com.crt
- 根 CA 证书 - AddTrustExternalCARoot.crt
- 中级 CA 证书 - COMODORSAAddTrustCA.crt
- 中级 CA 证书 - COMODORSADomainValidationSecureServerCA.crt
- PositiveSSL 通配符证书 - STAR_mydomain_com.crt
Originally, the order of certificates in the .crtI was providing to Nginx was as follows:
最初,.crt我提供给 Nginx的证书顺序如下:
- PositiveSSL Wildcard Certificate - STAR_mydomain_com.crt
- Intermediate CA Certificate - COMODORSAAddTrustCA.crt
- Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
- PositiveSSL 通配符证书 - STAR_mydomain_com.crt
- 中级 CA 证书 - COMODORSAAddTrustCA.crt
- 中级 CA 证书 - COMODORSADomainValidationSecureServerCA.crt
However, I reversed the order of the last two certificates and Git no longer throws verification errors.
但是,我颠倒了最后两个证书的顺序,Git 不再抛出验证错误。
回答by Jonathan Wiepert
git uses gnutls for this stuff, which requires the CA be specified. This can be done with per-respository with:
git 使用 gnutls 来处理这些东西,这需要指定 CA。这可以通过每个存储库完成:
git config http.sslcapath <path to CA directory>
OR
或者
git config http.sslcainfo <path to CA cert>
You can also specify --system or --global.
您还可以指定 --system 或 --global。
回答by Thiago Figueiro
export GIT_SSL_NO_VERIFY=1
导出 GIT_SSL_NO_VERIFY=1
From http://blog.breadncup.com/2011/06/09/skip-git-ssl-verification/
来自http://blog.breadncup.com/2011/06/09/skip-git-ssl-verification/
WARNING: as some people mentioned, this disables verification, leaving you open to a sleuth of security issues. You shouldn't rely on it long-term but, in a pinch, it will get the job done.
警告:正如某些人所提到的,这会禁用验证,让您面临一系列安全问题。你不应该长期依赖它,但在紧要关头,它会完成工作。
回答by FrankPak
The problem may be that you didn't configure correctly Apache
问题可能是你没有正确配置Apache
You may have to add your server name to the Apache configuration file /etc/apache2/sites-enabled/default-ssl.conf, e.g.:
您可能需要将您的服务器名称添加到 Apache 配置文件 /etc/apache2/sites-enabled/default-ssl.conf,例如:
ServerName demo.personalserver.com
From: https://www.progclub.org/blog/2014/09/03/gnutls_handshake-failed-using-git/#comment-96924
来自:https: //www.progclub.org/blog/2014/09/03/gnutls_handshake-failed-using-git/#comment-96924
