将 Git 配置为接受特定 https 远程的特定自签名服务器证书 [英] configure Git to accept a particular self-signed server certificate for a particular https remote

问题描述

我参与的一个项目的系统管理员认为 SSH 太麻烦了"；相反，他将 Git 设置为可通过 https:// URL(和用户名/密码身份验证)访问.该 URL 的服务器提供了一个自签名证书，因此他建议大家关闭证书验证.在安全方面，我觉得这不是一个好的设置.

The sysadmin for a project I'm on has decided that SSH is "too much trouble"; instead, he has set up Git to be accessible via an https:// URL (and username/password authentication). The server for this URL presents a self-signed certificate, so he advised everyone to turn off certificate validation. This does not strike me as a good setup, security-wise.

是否有可能告诉 Git 对于远程 X(或者更好的是，任何存储库中碰巧以 https://$SERVERNAME/ 开头的任何远程)它接受特定的证书，只有那个证书?基本上复制了 SSH 的服务器密钥行为.

Is it possible to tell Git that for remote X (or better, any remote in any repository that happens to begin with https://$SERVERNAME/) it is to accept a particular certificate, and only that certificate? Basically reduplicate SSH's server-key behavior.

推荐答案

简述:

1. 获取自签名证书
2. 将其放入一些(例如 ~/git-certs/cert.pem)文件中
3. 使用 http.sslCAInfo 参数设置 git 以信任此证书

1. Get the self signed certificate
2. Put it into some (e.g. ~/git-certs/cert.pem) file
3. Set git to trust this certificate using http.sslCAInfo parameter

更多细节:

假设，服务器 URL 是 repos.sample.com 并且您想通过端口 443 访问它.

Assuming, the server URL is repos.sample.com and you want to access it over port 443.

有多种选择，如何获取.

There are multiple options, how to get it.

$ openssl s_client -connect repos.sample.com:443

将输出捕获到文件 cert.pem 中，并删除 -BEGIN CERTIFICATE- 和 -END CERTIFICATE- 之间(包括)之间的所有部分代码>

Catch the output into a file cert.pem and delete all but part between (and including) -BEGIN CERTIFICATE- and -END CERTIFICATE-

生成的文件 ~/git-certs/cert.pem 的内容可能如下所示:

Content of resulting file ~/git-certs/cert.pem may look like this:

-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
EwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCVdvbGZzYnVyZzEYMBYGA1UE
ChMPU2FhUy1TZWN1cmUuY29tMRowGAYDVQQDFBEqLnNhYXMtc2VjdXJlLmNvbTEj
MCEGCSqGSIb3DQEJARYUaW5mb0BzYWFzLXNlY3VyZS5jb20wHhcNMTIwNzAyMTMw
OTA0WhcNMTMwNzAyMTMwOTA0WjCBkzELMAkGA1UEBhMCREUxFTATBgNVBAgTDExv
d2VyIFNheG9ueTESMBAGA1UEBxMJV29sZnNidXJnMRgwFgYDVQQKEw9TYWFTLVNl
Y3VyZS5jb20xGjAYBgNVBAMUESouc2Fhcy1zZWN1cmUuY29tMSMwIQYJKoZIhvcN
AQkBFhRpbmZvQHNhYXMtc2VjdXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMUZ472W3EVFYGSHTgFV0LR2YVE1U//sZimhCKGFBhH3ZfGwqtu7
mzOhlCQef9nqGxgH+U5DG43B6MxDzhoP7R8e1GLbNH3xVqMHqEdcek8jtiJvfj2a
pRSkFTCVJ9i0GYFOQfQYV6RJ4vAunQioiw07OmsxL6C5l3K/r+qJTlStpPK5dv4z
Sy+jmAcQMaIcWv8wgBAxdzo8UVwIL63gLlBz7WfSB2Ti5XBbse/83wyNa5bPJPf1
U+7uLSofz+dehHtgtKfHD8XpPoQBt0Y9ExbLN1ysdR9XfsNfBI5K6Uokq/tVDxNi
SHM4/7uKNo/4b7OP24hvCeXW8oRyRzpyDxMCAwEAATANBgkqhkiG9w0BAQUFAAOC
AQEAp7S/E1ZGCey5Oyn3qwP4q+geQqOhRtaPqdH6ABnqUYHcGYB77GcStQxnqnOZ
MJwIaIZqlz+59taB6U2lG30u3cZ1FITuz+fWXdfELKPWPjDoHkwumkz3zcCVrrtI
ktRzk7AeazHcLEwkUjB5Rm75N9+dOo6Ay89JCcPKb+tNqOszY10y6U3kX3uiSzrJ
ejSq/tRyvMFT1FlJ8tKoZBWbkThevMhx7jk5qsoCpLPmPoYCEoLEtpMYiQnDZgUc
TNoL1GjoDrjgmSen4QN5QZEGTOe/dsv1sGxWC+Tv/VwUl2GqVtKPZdKtGFqI8TLn
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----

使用您的网络浏览器获取证书

我将 Redmine 与 Git 存储库一起使用，并且我为 Web UI 和 git 命令行访问访问相同的 URL.这样，我必须将该域的例外添加到我的网络浏览器中.

Get certificate using your web browser

I use Redmine with Git repositories and I access the same URL for web UI and for git command line access. This way, I had to add exception for that domain into my web browser.

使用 Firefox，我去了 Options ->高级->证书 ->查看证书 ->服务器，在那里找到自签名主机，选择它并使用 Export 按钮我得到了完全相同的文件，就像使用 openssl 创建的一样.

Using Firefox, I went to Options -> Advanced -> Certificates -> View Certificates -> Servers, found there the selfsigned host, selected it and using Export button I got exactly the same file, as created using openssl.

注意:我有点惊讶，没有明显提及的权威名称.这很好.

Note: I was a bit surprised, there is no name of the authority visibly mentioned. This is fine.

前面的步骤将导致证书在某个文件中.只要在访问该域时对您的 git 可见，它是什么文件都没有关系.我用 ~/git-certs/cert.pem

Previous steps shall result in having the certificate in some file. It does not matter, what file it is as long as it is visible to your git when accessing that domain. I used ~/git-certs/cert.pem

注意:如果您需要更多受信任的自签名证书，请将它们放入同一个文件中:

Note: If you need more trusted selfsigned certificates, put them into the same file:

-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----

这应该可以(但我只用一个证书测试了它).

This shall work (but I tested it only with single certificate).

$ git config --global http.sslCAInfo /home/javl/git-certs/cert.pem

您也可以尝试在整个系统范围内使用 --system 而不是 --global.

You may also try to do that system wide, using --system instead of --global.

并对其进行测试:您现在应该能够与您的服务器进行通信，而无需诉诸:

And test it: You shall now be able communicating with your server without resorting to:

$ git config --global http.sslVerify false #NO NEED TO USE THIS

如果您已经将您的 git 设置为不知道 ssl 证书，请取消设置:

If you already set your git to ignorance of ssl certificates, unset it:

$ git config --global --unset http.sslVerify

您还可以检查，您是否正确执行了所有操作，没有拼写错误:

and you may also check, that you did it all correctly, without spelling errors:

$ git config --global --list

什么应该列出所有变量，你已经全局设置了.(我将 http 拼错为 htt).

what should list all variables, you have set globally. (I mispelled http to htt).

这篇关于将 Git 配置为接受特定 https 远程的特定自签名服务器证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！