推送到 Git 服务器时 SSL 证书无效 [英] Invalid SSL certificate when pushing to Git server

问题描述

我在 Windows Server 上运行 Gitblit，并尝试将数据从网络上的另一台机器推送到存储库.我使用了 SSL 证书(不是自签名，但我认为是我公司签名的?不太确定它是如何工作的，但 Chrome、IE 等.看到它已通过身份验证).

I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).

运行 Gitblit 的服务器名为 itscm，在开发人员的桌面上，我使用这个 URL 通过 TortoiseGit 推送数据:

The server that runs Gitblit is named itscm and on the developer's desktop I am using this URL to push data via TortoiseGit:

git.exe push --progress  "https://itscm:8234/git/TestRepo.git" master

但是，我收到此错误:

致命:无法访问'https://itscm:8234/git/TestRepo.git/': SSL 证书问题:证书链中的自签名证书

fatal: unable to access 'https://itscm:8234/git/TestRepo.git/': SSL certificate problem: self signed certificate in certificate chain

当我在 chrome 中访问该地址时，页面上显示 404，但我可以看到 URL 栏中的挂锁是绿色的.当我单击挂锁时，我看到身份已得到验证.我不明白我的浏览器如何认为这个证书有效，但是当我尝试通过 Git 向它推送数据时，它失败了.

When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don't understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.

推荐答案

Git for Windows 有自己的可信证书信任库，通常位于文件中

Git for Windows has its own trust store of trusted certificates which is normally located in the file

• Git for Windows <=1.9:[Git installdir]incurl-ca-bundle.crt(例如，C:Program Files (x86)Gitincurl-ca-bundle.crt；由[Git installdir]etcgitconfig中的http.sslCAinfo键配置.
• Windows 版 Git >= 2.0:[Git installdir]mingwXXsslcertsca-bundle.crt 其中 XX 代表 32 或 64 (例如，C:Program FilesGitmingw64sslcertsca-bundle.crt；由密钥 http 配置.sslCAinfo 在 git 配置中，例如 C:Program FilesGitetc 或您的全局/本地配置).

• Git for Windows <=1.9: [Git installdir]incurl-ca-bundle.crt (e.g., C:Program Files (x86)Gitincurl-ca-bundle.crt; configured by the key http.sslCAinfo in [Git installdir]etcgitconfig).
• Git for Windows >= 2.0: [Git installdir]mingwXXsslcertsca-bundle.crt where XX stands for 32 or 64 (e.g., C:Program FilesGitmingw64sslcertsca-bundle.crt; configured by the key http.sslCAinfo in git config, e.g. C:Program FilesGitetc or your global/local config).

禁用证书检查(例如，通过设置 git config http.sslVerify false)不是一个好主意，并且可能非常危险(因为所有安全检查都被禁用并且 MitM 攻击 很容易发生 - 取决于设置的位置，它适用于所有新的 https 连接).

Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible - depending where this is set it applies for all new https connections).

为了将证书(可能是自签名的一个或另一个根证书)添加到这个信任库中以便自动信任它，您必须执行以下步骤(前五步只是收集证书，这也可以使用您喜欢的浏览器完成，但可能需要不同的任务):

In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):

1. 在 Microsoft Edge 中打开站点的 URL

1. Open the URL of the site in Microsoft Edge

点击本地栏中的锁定符号并选择连接是安全的"；然后点击证书符号.

Click on the lock symbol in the local bar and choose "Connection is safe" and then click on the certificate symbol.

(可选)在证书链(第三个选项卡)上选择您要信任的证书并打开

(Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it

转到第二个标签详细信息"

Go to the second tab "Details"

点击保存到文件"，选择Base64-encoded X.509 (.CER)"；并使用唯一名称保存它(记住该名称；建议使用不带空格的名称).

Click on "Save to file", choose "Base64-encoded X.509 (.CER)" and save it with a unique name (remember that name; a name w/o spaces is recommended).

现在你有几个选择

1. 通过在 cli shell 中执行 git config --global http.sslCAinfo "[yourfilename]" 以仅使用此证书作为信任存储.
2. 使用单独的证书信任库，其中包含您刚刚下载的证书和来自 git 信任库的所有证书，方法是附加系统信任库文件(路径见上文)中的所有内容，然后执行 git config --globalcli shell 中的 http.sslCAinfo[yourfilename]"，以便使用这个新的信任存储.
3. 更新系统证书文件，通过将刚刚保存的文件的内容附加到 [path-to-git-trust-store-crt-file](例如通过 type [yourfilename] >> [path-to-git-trust-store-crt-file] 在以管理权限运行的 cli shell 中)或使用记事本(在桌面上复制 ca-bundle.crt 文件，附加下载的 .crt 文件的内容，然后将其复制回来).缺点:更改可能会在 git update 上被覆盖

1. Use a separate certificate trust store which only contains your just downloaded cert, by executing git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to only use this certificate as the trust store.
2. Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to use this new trust store.
3. Update the system certificate file, by appending the content of your just saved file to [path-to-git-trust-store-crt-file] (e.g. by type [yourfilename] >> [path-to-git-trust-store-crt-file] in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update

完成.现在，此证书位于 Git for Windows 的信任库中.

Done. Now, this certificate is in the trust store of Git for Windows.

Windows 版 Git 的最新版本也可以使用 Windows 证书存储，这在企业环境中可能更方便.这可以在安装时进行配置.

Recent versions of Git for Windows can use also Windows certificate store which might be more convenient in a corporate environment. This can be configured on installation.

这篇关于推送到 Git 服务器时 SSL 证书无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！