SSL 证书被拒绝尝试通过防火墙后的 HTTPS 访问 GitHub [英] SSL certificate rejected trying to access GitHub over HTTPS behind firewall

问题描述

我被困在防火墙后面，因此必须使用 HTTPS 访问我的 GitHub 存储库.我在 Windows XP 上使用 cygwin 1.7.7.

I'm stuck behind a firewall so have to use HTTPS to access my GitHub repository. I'm using cygwin 1.7.7 on Windows XP.

我已尝试将遥控器设置为 https://username@github.com/username/ExcelANT.git，但会提示输入密码，但一旦我没有做任何事情已经进入了.https://username:<password>github.com/username/ExcelANT.git 并从头开始克隆空的 repo，但每次都给我同样的错误

I've tried setting the remote to https://username@github.com/username/ExcelANT.git, but pushing prompts for a password, but doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repo from scratch but each time it gives me the same error

错误:SSL 证书问题，验证 CA 证书是否正常.详情:
错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:访问 https://github.com 时证书验证失败/username/ExcelANT.git/info/refs

error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

打开 GIT_CURL_VERBOSE=1 给我

* 即将 connect() 到 github.com 端口 443 (#0)
* 正在尝试 207.97.227.239... * 成功设置证书验证位置:
* CAfile:无
CApath:/usr/ssl/certs
* SSL证书问题，验证CA证书是否OK.详情:
错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
* 过期清除
* 关闭连接 #0
* 即将 connect() 到 github.com 端口 443 (#0)
* 正在尝试 207.97.227.239... * 成功设置证书验证位置:
* CAfile:无
CApath:/usr/ssl/certs
* SSL证书问题，验证CA证书是否OK.详情:
错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
* 过期清除
* 关闭连接 #0
错误:SSL 证书问题，验证 CA 证书是否正常.详情:
错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:访问 https://github.com 时证书验证失败/username/ExcelANT.git/info/refs

* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

这是我的防火墙、cygwin 还是什么问题?

Is this a problem with my firewall, cygwin or what?

我没有在 Git 配置中设置 HTTP 代理，但它是一个需要 NTLM 身份验证的 ISA 服务器，而不是基本身份验证，所以除非有人知道如何强制 git 使用 NTLM，否则我会陷入困境.

I hadn't set the HTTP proxy in the Git config, however it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force git to use NTLM, I'm scuppered.

推荐答案

如果您想解决证书问题，请随意跳过此答案.这个答案涉及通过防火墙的隧道 ssh，恕我直言，这是处理防火墙/代理事物的更好解决方案.

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

有一个比使用http访问更好的方法，那就是在ssh.github.com服务器的443端口上使用github提供的ssh服务.

There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.

我们使用一种叫做开瓶器的工具.这适用于 CygWin(通过 cygwin 主页上的设置)和使用您最喜欢的打包工具的 Linux.对于 MacOSX，它至少可以从 macports 和 brew 获得.

We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.

命令行如下:

$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

proxyhost和proxyport是https代理的坐标.targethost 和 targetport 是要通过隧道连接的主机的位置.authfile 是一个文本文件，其中 1 行包含您的代理服务器用户名/密码，用冒号分隔

The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon

例如:

abc:very_secret

安装使用普通"ssh 协议进行 git 通信

Installation for using "normal" ssh protocol for git communication

通过将这个添加到 ~/.ssh/config 这个技巧可以用于正常的 ssh 连接.

By adding this to the ~/.ssh/config this trick can be used for normal ssh connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

现在你可以通过 ssh-ing 到 gitproxy 来测试它的工作原理

now you can test it works by ssh-ing to gitproxy

pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.
pti@pti-laptop:~$

(注意:如果你以前从未登录过github，ssh会要求将服务器密钥添加到已知的hosts文件中.如果你是偏执狂，建议将RSA指纹验证到github上显示的那个您上传密钥的网站).

(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).

当您需要使用另一个密钥(例如将您的私人帐户与您的专业帐户分开.

A slight variant on this method is the case when you need to access a repository with another key, e.g. to separate your private account from your professional account.

# 
# account dedicated for the ACME private github account 
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

享受吧！

我们多年来一直在 Linux、Mac 和 Windows 上使用它.

We've been using this for years now on both Linux, Macs and Windows.

如果你愿意，你可以 阅读在这篇博文中了解更多信息

这篇关于SSL 证书被拒绝尝试通过防火墙后的 HTTPS 访问 GitHub的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！