SSL适用于浏览器，wget的，和卷曲，但没有使用Git [英] SSL works with browser, wget, and curl, but fails with git

问题描述

我有一个网站，我使用托管管理平台和几个Git仓库

I have a website I am using to host redmine and several git repositories

这完全适用于HTTP，但我不能以https克隆，即

This works perfectly for http, but I can't clone with https, i.e.

git clone http://mysite.com/git/test.git

工作正常，但

git clone https://mysite.com/git/test.git

失败

但奇怪的是，似乎HTTPS对于一切我已经测试工作。如果我打开

The strange thing is that https seems to work for everything else I have tested. If I open

https://mysite.com/git/test.git

在浏览器（在Chrome和Firefox测试），我没有得到任何错误或警告。我也可以

in a browser (tested in chrome and firefox), I get no errors or warnings. I can also

curl https://mysite.com/git/test.git
wget https://mysite.com/git/test.git

这两个工作，无投诉或警告。

both of which work with no complaints or warnings.

下面是混帐输出的详细：

Here is the verbose output from git:

$ GIT_CURL_VERBOSE=1 git clone https://user@mysite.com/test/test.git
Cloning into test...
Password:
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
*   Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
*   Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://user\
@mysite.com/test/test.git/info/refs

fatal: HTTP request failed

下面是卷曲输出的详细，与个人信息更改：

Here is the verbose output from curl, with the personal info changed:

* About to connect() to mysite.com port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to mysite.com (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: C=US; <... cut my certs info ...>
*        start date: 2011-10-18 00:00:00 GMT
*        expire date: 2013-10-17 23:59:59 GMT
*        subjectAltName: mysite.com matched
*        issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO High-Assurance Secure Server CA
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: mysite.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Oct 2011 21:39:54 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Last-Modified: Fri, 14 Oct 2011 03:20:01 GMT
< ETag: "8209c-87-4af39bb89ccac"
< Accept-Ranges: bytes
< Content-Length: 135
< Vary: Accept-Encoding
< Content-Type: text/html
< X-Pad: avoid browser bug
<
<p>Welcome to the mysite.com<p/>
* Connection #0 to host mysite.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

我能看到的唯一区别是，混帐似乎同时卷曲使用整个目录中使用显式凭证档案错误？我是新来的SSL（至少在管理方），所以我不知道这意味着什么或如何可以配置的git的工作方式为曲一样的。

The only difference I can see is that git seems to be using an explicit CAfile while curl uses the whole directory? I'm new to ssl (at least on the admin side), so I'm not sure what this means or how I could configure git to work the same way as curl.

我使用在Ubuntu 10.04混帐1.7.5.4和Apache 2.2.14。我试过从3个不同的Linux主机（包括服务器本身的另一个帐户）克隆，无法工作。

I am using git 1.7.5.4 and apache 2.2.14 on Ubuntu 10.04. I've tried cloning from 3 different linux hosts (including another account on the server itself), and nothing works.

我也用在OpenSSL工具来验证我的服务器上的证书：

I've also used the openssl tool to verify my cert on the server:

$openssl verify -purpose sslserver -CAfile chain.crt signed.pem 
signed.pem: OK

这可能与该bug https://bugs.maemo.org/show_bug.cgi?id= 4953 但因为我没有得到任何其他程序中的任何警告或错误似乎有所不同。

This may be related to the bug https://bugs.maemo.org/show_bug.cgi?id=4953 but it seems different because I am not getting any warning or errors in any other program.

这可能是值得一提，我使用gitolite和 redmine_git_hosting 使用智能HTTP办通过https认证。我不认为任何这是有过错，但因为存在问题，即使我只是坚持在/ var / WWW的工作，不然裸露的回购和直接访问它。此外，git的通过ssh（有和没有gitolite）的作品。

It may be worth mentioning that I am using gitolite and redmine_git_hosting using smart http to do authentication over https. I don't think any of this is at fault though, because the problem exists even if I just stick an otherwise working bare repo in /var/www and access it directly. Also, git over ssh (with and without gitolite) works.

请让我知道如果你有任何想法可能是错误的，或者如果你想要一些更多的信息。我真的preFER获得SSL正常工作，而不是强迫大家禁用证书在Git中检查，尽管这是一个当前的解决方法。

Please let me know if you have any idea what might be wrong or if you'd like some more info. I'd really prefer to get ssl working properly, as opposed to forcing everyone to disable certificate checking in git, although that is a current workaround.

感谢您阅读这篇很长的帖子！

Thanks for reading this long post!

推荐答案

原来，这是一个GNUTLS问题。 GNUTLS是为了敏感，而OpenSSL是不是。我重新排序的证书在我的中间证书文件和问题走了。

It turns out that this was a gnuTLS issue. gnuTLS is order sensitive, while openssl is not. I re-ordered the certificates in my intermediate cert file and the problem went away

这篇关于SSL适用于浏览器，wget的，和卷曲，但没有使用Git的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！