添加自签名 SSL 证书而不禁用授权签名证书 [英] Adding self-signed SSL certificate without disabling authority-signed ones

问题描述

我有一个使用自签名证书通过 https 工作的公司 git 服务器.本地克隆包含两个遥控器——一个指向那个服务器的源，另一个指向 github.默认情况下，从原点拉取失败:

I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:

$ git pull
fatal: unable to access 'https://user@code.example.com/git/fizzbuzz.git/': SSL certificate problem: self signed certificate

github 远程工作正常.

The github remote works fine.

通常建议的解决方案有两种:

There are two often-suggested solutions:

git config http.sslVerify false

这是一个坏主意，在 配置 Git 以接受特定 https 远程的特定自签名服务器证书:

which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:

git config http.sslCAInfo <downloaded certificate>.pem

修复了从原点拉取的问题，但破坏了 github 远程:

which fixes pulling from origin, but break the github remote:

$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate

如何在不中断从 github 拉取的情况下从企业服务器拉取工作?

How to make pulling from the corporate server work without breaking pulling from github?

推荐答案

如果您使用的是 Git 1.8.5+(2013 年 8 月)，您可以 为每个 URL(!) 指定 http 指令.

If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).

就你而言:

git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false

这将仅对 code.example.com 禁用 SSL 验证，而不是对其他 URL.

That would disable SSL verification only for code.example.com, not for other URLs.

或者:

git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem

相同的想法:sslCAInfo 将指向 .pem 仅用于 code.example.com URL.

Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.

可以将您的证书添加到 Git 系统证书存储中，使用 git-for-windows，将位于 C:path oPortableGit-2.6.1-64-bitusrsslcertsca-bundle.crt.
不过，这不是最佳做法，除非您必须分发带有内部证书的 Git 发行版.

It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:path oPortableGit-2.6.1-64-bitusrsslcertsca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.

这篇关于添加自签名 SSL 证书而不禁用授权签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！