推送到Git服务器时无效的SSL证书 [英] Invalid SSL certificate when pushing to Git server

问题描述

我在Windows服务器上运行Gitblit，并试图将数据从网络上的另一台计算机推送到存储库。我已经使用了SSL证书（不是自签名的，但是我认为是由我的公司签名的？不确定这是如何工作的，但Chrome，IE等认为它是身份验证的）。

运行Gitblit的服务器名为 itscm ，在开发者桌面上，我使用此URL通过TortoiseGit推送数据：

  git.exe push --progresshttps：// itscm：8234 / git / TestRepo.gitmaster 
  

然而，我得到这个错误：

致命：无法访问' https：// itscm：8234 / git / TestRepo.git / '：SSL证书问题：证书链中的自签名证书

当我使用chrome访问该地址时，页面上显示404，但是I可以看到URL栏中的挂锁是绿色的。当我点击挂锁时，我看到身份已被验证。我不明白我的浏览器如何看到这个证书是有效的，但是当我尝试通过Git将数据推送到它时，它就会失败。 解决方案

Git for Windows有自己的可信证书信任库，通常位于文件中

• Git for Windows< = 1.9 ： [Git installdir] \bin\curl-ca-bundle.crt （例如， C：\程序文件（x86）\通过中的键 http.sslCAinfo 配置的Git \\\\\\\\\\\\\\\\\\\\\\\\\\\\\'安装目录] \etc\gitconfig ）。


• Git for Windows> = 2.0： [Git installdir] \mingwXX\ ssl\certs\ca-bundle.crt 其中 XX 代表 32 或 64 （例如， C：\ Program Files \Git\mingw64\ssl\certs\ca-bundle.crt code>;由中的键 http.sslCAinfo 配置C：\程序数据\Git\config ）。



禁用证书检查（例如，通过设置 git config http.sslVerify false ）不是一件好事的想法，并可能是非常危险的（因为所有的安全检查被禁用和 MitM攻击很容易实现 - 取决于设置的位置，它适用于所有新的https连接）。

为了添加证书（可能是自签名证书或另一个根证书），以便自动信任它，您必须执行以下步骤：

1. 打开在本地栏中单击锁定符号并选择显示证书（或选择网站的属性并单击证书）


2. （可选）在证书链上选择您要信任的证书（第三个选项卡）并将其打开


3. 转至第二个选项卡详细信息 b $ b
4. 点击保存到文件，选择Base64-encoded X.509（.CER）并保存为唯一的名称（记住名称;建议使用无空格的名称）。



5. 现在您有多种选择了！
   $ b $ ol <
   

6. 通过在cli shell中执行 git config --global http.sslCAinfo[yourfilename]来使用一个单独的证书信任存储，其中只包含您刚刚下载的证书仅将此证书用作信任存储。


7. 通过附加系统信任存储中的所有内容，使用单独的证书信任存储，其中包含刚刚下载的证书和来自git信任存储的所有证书文件（路径参见上文），然后在cli shell中执行 git config --global http.sslCAinfo[yourfilename]以使用这个新的信任存储。 li>
   
8. 通过将刚刚保存的文件的内容附加到 [path-to-git-trust-store-crt-file] （例如通过键入[yourfilename]>>>>> [路径到git-trust-store-crt-文件] ）或使用notepa d（在桌面上制作ca-bundle.crt文件的副本，附加downlaoded .crt文件的内容，然后将其复制回来）。缺点：修改可能会被git update覆盖






完成。现在，此证书位于Git for Windows的信任存储区中。

I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).

The server that runs Gitblit is named itscm and on the developer's desktop I am using this URL to push data via TortoiseGit:

git.exe push --progress  "https://itscm:8234/git/TestRepo.git" master

However, I get this error:

fatal: unable to access 'https://itscm:8234/git/TestRepo.git/': SSL certificate problem: self signed certificate in certificate chain

When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don't understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.

解决方案

Git for Windows has its own trust store of trusted certificates which is normally located in the file

• Git for Windows <=1.9: [Git installdir]\bin\curl-ca-bundle.crt (e.g., C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt; configured by the key http.sslCAinfo in [Git installdir]\etc\gitconfig).
• Git for Windows >= 2.0: [Git installdir]\mingwXX\ssl\certs\ca-bundle.crt where XX stands for 32 or 64 (e.g., C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt; configured by the key http.sslCAinfo in C:\ProgramData\Git\config).

Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible - depending where this is set it applies for all new https connections).

In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps:

1. Open the URL of the site in Internet Explorer
2. Click on the lock symbol in the local bar and choose "Show certificates" (or choose Properties of the site and click on "Certificates")
3. (Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it
4. Go to the second tab "Details"
5. Click on "Save to file", choose "Base64-encoded X.509 (.CER)" and save it with a unique name (remember that name; a name w/o spaces is recommended).

6. Now you have several options

   1. Use a separate certificate trust store which only contains your just downloaded cert, by executing git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to only use this certificate as the trust store.
   2. Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to use this new trust store.
   3. Update the system certificate file, by appending the content of your just saved file to [path-to-git-trust-store-crt-file] (e.g. by type [yourfilename] >> [path-to-git-trust-store-crt-file] in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update

Done. Now, this certificate is in the trust store of Git for Windows.

这篇关于推送到Git服务器时无效的SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！