无法使用自签名证书在 Windows 上使用 git 解决“无法获得本地颁发者证书”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23885449/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
提问by RichardHowells
I am using Git on Windows. I installed the msysGit package. My test repository has a self signed certificate at the server. I can access and use the repository using HTTP without problems. Moving to HTTPS gives the error:
我在 Windows 上使用 Git。我安装了 msysGit 包。我的测试存储库在服务器上有一个自签名证书。我可以毫无问题地使用 HTTP 访问和使用存储库。移动到 HTTPS 会出现错误:
SSL Certificate problem: unable to get local issuer certificate.
SSL 证书问题:无法获取本地颁发者证书。
I have the self signed certificate installed in the Trusted Root Certification Authorities of my Windows 7 - client machine. I can browse to the HTTPS repository URL in Internet Explorer with no error messages.
我在 Windows 7 客户端机器的受信任根证书颁发机构中安装了自签名证书。我可以在 Internet Explorer 中浏览到 HTTPS 存储库 URL,没有错误消息。
This blog post by Philip Kelleyexplained that cURL does not use the client machine's certificate store. I followed the blog post's advice to create a private copy of curl-ca-bundle.crtand configure Git to use it. I am sure Git is using my copy. If I rename the copy; Git complains the file is missing.
Philip Kelley 的这篇博文解释说 cURL 不使用客户端机器的证书存储。我按照博客文章的建议创建了一个私有副本curl-ca-bundle.crt并配置 Git 以使用它。我确信 Git 正在使用我的副本。如果我重命名副本;Git 抱怨文件丢失。
I pasted in my certificate, as mentioned in the blog post, I still get the message "unable to get local issuer certificate".
我粘贴了我的证书,如博客文章中所述,我仍然收到消息“无法获得本地颁发者证书”。
I verified that Git was still working by cloning a GitHub Repository via HTTPS.
我通过 HTTPS 克隆 GitHub 存储库来验证 Git 仍在工作。
The only thing I see that's different to the blog post is that my certificate isthe root - there is no chain to reach it. My certificate originally came from clicking the IIS8 IIS Manager link 'Create Self Signed Certificate'. Maybe that makes a certificate different in some way to what cURL expects.
我看到的唯一与博客文章不同的是我的证书是根 - 没有链可以到达它。我的证书最初来自单击 IIS8 IIS 管理器链接“创建自签名证书”。也许这会使证书在某些方面与 cURL 所期望的有所不同。
How can I get Git/cURL to accept the self signed certificate?
如何让 Git/cURL 接受自签名证书?
采纳答案by RichardHowells
The answer to this question Using makecert for Development SSLfixed this for me.
这个问题的答案Using makecert for Development SSL为我解决了这个问题。
I do not know why, but the certificate created by the simple 'Create Self Signed Certificate' link in IIS Manager does not do the trick. I followed the approach in the linked question of creating and installing a self-signed CA Root; then using that to issue a Server Authentication Certificate for my server. I installed both of them in IIS.
我不知道为什么,但是由 IIS 管理器中简单的“创建自签名证书”链接创建的证书并不能解决问题。我遵循了创建和安装自签名 CA 根的链接问题中的方法;然后使用它为我的服务器颁发服务器身份验证证书。我在IIS中安装了它们。
That gets my situation the same as the blog post referenced in the original question. Once the root certificate was copy/pasted into curl-ca-bundle.crt the git/curl combo were satisfied.
这使我的情况与原始问题中引用的博客文章相同。一旦根证书被复制/粘贴到 curl-ca-bundle.crt 中,git/curl 组合就会得到满足。
回答by Samir
Open Git Bash and run the command if you want to completely disable SSL verification.
如果要完全禁用 SSL 验证,请打开 Git Bash 并运行该命令。
git config --global http.sslVerify false
Note: This solution may open you to attacks like man-in-the-middle attacks. Therefore turn on verification again as soon as possible:
注意:此解决方案可能会让您面临中间人攻击等攻击。因此,请尽快再次打开验证:
git config --global http.sslVerify true
回答by Ihor Zenich
The problem is that git by default using the "Linux" crypto backend.
问题是 git 默认使用“Linux”加密后端。
Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. This means that you it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v=vs.85).aspx
从适用于 Windows 的 Git 2.14 开始,您现在可以将 Git 配置为使用 SChannel,即内置的 Windows 网络层作为加密后端。这意味着您将使用 Windows 证书存储机制,并且您不需要显式配置 curl CA 存储机制:https: //msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v= vs.85).aspx
Just execute:
只需执行:
git config --global http.sslbackend schannel
That should helps.
那应该有帮助。
Using schannel is by now the standard setting when installing git for windows, also it is recommended to not checkout repositories by SSH anmore if possible, as https is easier to configure and less likely to be blocked by a firewall it means less chance of failure.
使用 schannel 是现在为 windows 安装 git 时的标准设置,如果可能的话,也建议不要再通过 SSH 检出存储库,因为 https 更容易配置并且不太可能被防火墙阻止,这意味着失败的机会更少。
回答by kiddailey
I had this issue as well. In my case, I was trying to get a post-receive Git hook to update a working copy on a server with each push. Tried to follow the instructions in the blog you linked to. Didn't work for me as well and overriding the settings on a per-user basis didn't seem to work either.
我也有这个问题。就我而言,我试图获得一个 post-receive Git 钩子,以在每次推送时更新服务器上的工作副本。尝试按照您链接到的博客中的说明进行操作。对我也不起作用,并且在每个用户的基础上覆盖设置似乎也不起作用。
What I ended up having to do was disable SSL verification (as the article mentions) for Git as a whole. Not the perfect solution, but it'll work until I can figure out a better one.
我最终不得不做的是禁用整个 Git 的 SSL 验证(如文章所述)。不是完美的解决方案,但它会起作用,直到我找到更好的解决方案。
I edited the Git config text file (with my favorite line-ending neutral app like Notepad++) located at:
我编辑了位于以下位置的 Git 配置文本文件(使用我最喜欢的行尾中性应用程序,如 Notepad++):
C:\Program Files (x86)\Git\etc\gitconfig
C:\Program Files (x86)\Git\etc\gitconfig
In the [http] block, I added an option to disable sslVerify. It looked like this when I was done:
在 [http] 块中,我添加了一个禁用 sslVerify 的选项。当我完成时,它看起来像这样:
[http]
sslVerify = false
sslCAinfo = /bin/curl-ca-bundle.crt
That did the trick.
这就是诀窍。
NOTE:
笔记:
This disables SSL verification and is not recommended as a long term solution.
You can disable this per-repository which still isn't great, but localizes the setting.
With the advent of LetsEncrypt.org, it is now fairly simple, automated and free to set up SSL as an alternative to self-signed certs and negates the need to turn off sslVerify.
这会禁用 SSL 验证,因此不建议将其作为长期解决方案。
您可以禁用每个存储库,这仍然不是很好,但可以本地化设置。
随着 LetsEncrypt.org 的出现,现在设置 SSL 作为自签名证书的替代方案变得相当简单、自动化和免费,并且不需要关闭 sslVerify。
回答by Oliver
kiddaileyI think was pretty close, however I would not disable ssl verification but rather rather just supply the local certificate:
Kiddailey我认为非常接近,但是我不会禁用 ssl 验证,而只是提供本地证书:
In the Git config file
在 Git 配置文件中
[http]
sslCAinfo = /bin/curl-ca-bundle.crt
Or via command line:
或者通过命令行:
git config --global http.sslCAinfo /bin/curl-ca-bundle.crt
回答by Nadeem Jamali
I faced this issue as well. And finally got resolved by getting guidance from this MSDN Blog.
我也遇到了这个问题。最终通过从这个 MSDN 博客获得指导得到了解决。
Update
更新
Actually you need to add the certificate in git's certificates file curl-ca-bundel.cert that resides in Git\bin directory.
实际上,您需要将证书添加到 Git\bin 目录下的 git 证书文件 curl-ca-bundel.cert 中。
Steps
脚步
- Open your github page in browser, and click over lock icon in address bar.
- In the opened little popup up navigate to 'view certificate' link, it will open a popup window.
- In which navigate to certificates tab (3rd in my case). Select the top node that is root certificate. And press copy certificate button in the bottom and save the file.
- In file explorer navigate Git\bin directory and open curl-ca-bundle.crt in text editor.
- Open the exported certificate file (in step 3) in text editor as well.
- Copy all of the content from exported certificate to the end of curl-ca-bundle.crt, and save.
- 在浏览器中打开您的 github 页面,然后单击地址栏中的锁定图标。
- 在打开的小弹出窗口中导航到“查看证书”链接,它将打开一个弹出窗口。
- 其中导航到证书选项卡(在我的情况下为第三个)。选择根证书的顶级节点。然后按底部的复制证书按钮并保存文件。
- 在文件资源管理器中导航 Git\bin 目录并在文本编辑器中打开 curl-ca-bundle.crt。
- 也在文本编辑器中打开导出的证书文件(在步骤 3 中)。
- 将导出的证书中的所有内容复制到 curl-ca-bundle.crt 的末尾,并保存。
Finally check the status. Please note that backup curl-ca-bundle.crt file before editing to remain on safe side.
最后检查状态。请注意在编辑之前备份 curl-ca-bundle.crt 文件以保持安全。
回答by zionyx
To avoid disabling ssl verification entirely or duplicating / hacking the bundled CA certificate file used by git, you can export the host's certificate chain into a file, and make git use it:
为避免完全禁用 ssl 验证或复制/破解 git 使用的捆绑 CA 证书文件,您可以将主机的证书链导出到文件中,并让 git 使用它:
git config --global http.https://the.host.com/.sslCAInfo c:/users/me/the.host.com.cer
If that does not work, you can disable ssl verification onlyfor the host:
如果这不起作用,您可以仅为主机禁用 ssl 验证:
git config --global http.https://the.host.com/.sslVerify false
Note : Subjected to possible man in the middle attacks when ssl verification is turned off.
注意:当 ssl 验证关闭时,可能会受到中间人攻击。
回答by JamesD
I've just had the same issue but using sourcetree on windows Same steps for normal GIT on Windows as well. Following the following steps I was able to solve this issue.
我刚刚遇到了同样的问题,但在 Windows 上使用 sourcetree 在 Windows 上使用普通 GIT 的步骤也相同。按照以下步骤,我能够解决这个问题。
- Obtain the server certificate tree This can be done using chrome. Navigate to be server address. Click on the padlock icon and view the certificates. Export all of the certificate chain as base64 encoded files (PEM) format.
- Add the certificates to the trust chain of your GIT trust config file Run "git config --list". find the "http.sslcainfo" configuration this shows where the certificate trust file is located. Copy all the certificates into the trust chain file including the "- -BEGIN- -" and the "- -END- -".
- Make sure you add the entire certificate Chain to the certificates file
- 获取服务器证书树 这可以使用 chrome 来完成。导航到服务器地址。单击挂锁图标并查看证书。将所有证书链导出为 base64 编码文件 (PEM) 格式。
- 将证书添加到您的 GIT 信任配置文件的信任链中运行“git config --list”。找到“http.sslcainfo”配置,它显示了证书信任文件所在的位置。将所有证书复制到信任链文件中,包括“- -BEGIN- -”和“- -END- -”。
- 确保将整个证书链添加到证书文件中
This should solve your issue with the self-signed certificates and using GIT.
这应该可以解决您使用自签名证书和使用 GIT 的问题。
I tried using the "http.sslcapath" configuration but this did not work. Also if i did not include the whole chain in the certificates file then this would also fail. If anyone has pointers on these please let me know as the above has to be repeated for a new install.
我尝试使用“http.sslcapath”配置,但这不起作用。此外,如果我没有在证书文件中包含整个链,那么这也会失败。如果有人对这些有指示,请告诉我,因为新安装必须重复上述操作。
If this is the system GIT then you can use the options in TOOLS -> options GIt tab to use the system GIT and this then solves the issue in sourcetree as well.
如果这是系统 GIT,那么您可以使用 TOOLS -> options GIt 选项卡中的选项来使用系统 GIT,这也解决了 sourcetree 中的问题。
回答by Jawad Al Shaikh
In case of github Repositories (or any none-self-signed certs), choosing below while installing Git-on-windows, resolved the issue.
对于github 存储库(或任何非自签名证书),在安装 Git-on-windows 时选择以下解决了该问题。
回答by Ben P.P. Tung
I have had this issue before, and solve it using the following config.
我以前遇到过这个问题,并使用以下配置解决它。
[http "https://your.domain"]
sslCAInfo=/path/to/your/domain/priviate-certificate
[http "https://your.domain"]
sslCAInfo=/path/to/your/domain/priviate-certificate
Since git 2.3.1, you can put https://your.domainafter http to indicate the following certificate is only for it.
从 git 2.3.1 开始,你可以https://your.domain在 http 后面放上,表示下面的证书只针对它。
