Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
674 views
in Technique[技术] by (71.8m points)

git - Adding self-signed SSL certificate without disabling authority-signed ones

I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:

$ git pull
fatal: unable to access 'https://user@code.example.com/git/fizzbuzz.git/': SSL certificate problem: self signed certificate

The github remote works fine.

There are two often-suggested solutions:

git config http.sslVerify false

which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:

git config http.sslCAInfo <downloaded certificate>.pem

which fixes pulling from origin, but break the github remote:

$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate

How to make pulling from the corporate server work without breaking pulling from github?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).

In your case:

git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false

That would disable SSL verification only for code.example.com, not for other URLs.

Or:

git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem

Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.

It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:pathoPortableGit-2.6.1-64-bitusrsslcertsca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...