配置Git接受特定https远程的特定自签名服务器证书 [英] configure Git to accept a particular self-signed server certificate for a particular https remote

查看:276
本文介绍了配置Git接受特定https远程的特定自签名服务器证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我所在的项目的系统管理员已经决定SSH是太麻烦了;相反,他已经通过 https:// URL(和用户名/密码认证)设置了Git。该URL的服务器提供了自签名证书,因此他建议每个人关闭证书验证。这并不意味着我是一个好的设置,安全明智。



是否有可能告诉Git,对于远程X(或更好的是,任何存储库中的任何远程发生以 https:// $ SERVERNAME / 开头)是接受一个特定的证书,而只接受那个证书?基本上重复SSH的服务器密钥行为。

解决方案

简要说明:


  1. 获取自签名证书

  2. 将其放入一些文件(例如〜/ git-certs / cert.pem

  3. 使用 http.sslCAInfo 设置 git 来信任此证书。参数

详细信息:

获取远程服务器的自签名证书假设服务器URL是 repos.sample.com ,并且您想通过端口<$ c访问它 $ c $> 443 。



有多种选择,如何获得它。

< h2>使用openssl获取证书



  $ openssl s_client -connect repos.sample.com:443

将输出捕获到文件 cert.pem 中,并删除除包括) -BEGIN CERTIFICATE - -END CERTIFICATE - 



  ----- BEGIN CERTIFICATE ----- 
 MIIDnzCCAocCBE / xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw 
 EwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCVdvbGZzYnVyZzEYMBYGA1UE 
 ChMPU2FhUy1TZWN1cmUuY29tMRowGAYDVQQDFBEqLnNhYXMtc2VjdXJlLmNvbTEj 
 MCEGCSqGSIb3DQEJARYUaW5mb0BzYWFzLXNlY3VyZS5jb20wHhcNMTIwNzAyMTMw 
 OTA0WhcNMTMwNzAyMTMwOTA0WjCBkzELMAkGA1UEBhMCREUxFTATBgNVBAgTDExv 
 d2VyIFNheG9ueTESMBAGA1UEBxMJV29sZnNidXJnMRgwFgYDVQQKEw9TYWFTLVNl 
 Y3VyZS5jb20xGjAYBgNVBAMUESouc2Fhcy1zZWN1cmUuY29tMSMwIQYJKoZIhvcN 
 $ AQkBFhRpbmZvQHNhYXMtc2VjdXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP b $ b ADCCAQoCggEBAMUZ472W3EVFYGSHTgFV0LR2YVE1U // sZimhCKGFBhH3ZfGwqtu7 
 mzOhlCQef9nqGxgH + U5DG43B6MxDzhoP7R8e1GLbNH3xVqMHqEdcek8jtiJvfj2a 
 pRSkFTCVJ9i0GYFOQfQYV6RJ4vAunQioiw07OmsxL6C5l3K / R + qJTlStpPK5dv4z 
 SY + jmAcQMaIcWv8wgBAxdzo8UVwIL63gLlBz7WfSB2Ti5XBbse / 83wyNa5bPJPf1 
 U + 7uLSofz + dehHtgtKfHD8XpPoQBt0 Y9ExbLN1ysdR9XfsNfBI5K6Uokq / tVDxNi 
 SHM4 / 7uKNo / 4b7OP24hvCeXW8oRyRzpyDxMCAwEAATANBgkqhkiG9w0BAQUFAAOC 
 AQEAp7S / E1ZGCey5Oyn3qwP4q + geQqOhRtaPqdH6ABnqUYHcGYB77GcStQxnqnOZ 
 MJwIaIZqlz + 59taB6U2lG30u3cZ1FITuz + fWXdfELKPWPjDoHkwumkz3zcCVrrtI 
 ktRzk7AeazHcLEwkUjB5Rm75N9 + dOo6Ay89JCcPKb + tNqOszY10y6U3kX3uiSzrJ 
 ejSq / tRyvMFT1FlJ8tKoZBWbkThevMhx7jk5qsoCpLPmPoYCEoLEtpMYiQnDZgUc 
 TNoL1GjoDrjgmSen4QN5QZEGTOe / dsv1sGxWC + Tv / VwUl2GqVtKPZdKtGFqI8TLn 
 / 27 / jIdVQIKvHok2P / u9tvTUQA == 
 ----- END CERTIFICATE ----- 
   
 
 
我使用Redmine和Git存储库,并访问Web UI的相同URL和git命令行访问。这样,我不得不为该域添加异常到我的Web浏览器中。
 
 
 
使用Firefox,我去了 Options  - >高级 - >证书 - >查看证书 - > Servers ,在那里找到自签名的主机,选择它并使用 Export 按钮我得到了完全相同的文件,使用 openssl 
 
 
 
注意:我有点惊讶,没有明显提及权威的名字。这很好。 
 
 
在专用文件中拥有可信证书
 
 
 
先前的步骤应导致证书在一些文件。无关紧要,只要它在访问该域时对您的git可见即可。我使用〜/ git-certs / cert.pem  
 
 
 
注意:如果您需要更多可信的自签名证书,他们到同一个文件:
 
 
  ----- BEGIN CERTIFICATE ----- 
 MIIDnzCCAocCBE / xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw 
 ........... 
 / 27 / jIdVQIKvHok2P / u9tvTUQA == 
 ----- END CERTIFICATE ----- 
 ---- -BEGIN CERTIFICATE ----- 
 AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw 
 ........... 
 / 27 / jIdVQIKvHok2P / u9tvTUQA == 
 ----- END CERTIFICATE ----- 
  
这将起作用(但我仅用单一证书对其进行了测试)。
 
 
 
配置git来信任这个证书
 
 
 
  $ git config --global http.sslCAInfo /home/javl/git-certs/cert.pem 
  
您也可以尝试在系统范围内,使用  -  system 而不是  -  global 
 
 
 
测试一下:您现在可以与您沟通r服务器而不诉诸于: 
 
 
  $ git config --global http.sslVerify false #NO需要使用这
  
如果您已将您的git设置为忽略ssl证书,请取消设置:
  $ git config --global --unset http.sslVerify 
  
,你也可以检查,你做的都正确,没有拼写错误: 
 
 
  $ git config  - -global --list 
  
应列出所有变量,您已全局设置。 (我把http拼写成htt)。
 
The sysadmin for a project I'm on has decided that SSH is "too much trouble"; instead, he has set up Git to be accessible via an https:// URL (and username/password authentication). The server for this URL presents a self-signed certificate, so he advised everyone to turn off certificate validation. This does not strike me as a good setup, security-wise.



Is it possible to tell Git that for remote X (or better, any remote in any repository that happens to begin with https://$SERVERNAME/) it is to accept a particular certificate, and only that certificate?  Basically reduplicate SSH's server-key behavior.
 解决方案 
Briefly:
    

  1. Get the self signed certificate
    2. 

  2. Put it into some (e.g. ~/git-certs/cert.pem) file
    3. 

  3. Set git to trust this certificate using http.sslCAInfo parameter
    4. 

In more details:



Get self signed certificate of remote server



Assuming, the server URL is repos.sample.com and you want to access it over port 443.



There are multiple options, how to get it.



Get certificate using openssl



$ openssl s_client -connect repos.sample.com:443

Catch the output into a file cert.pem and delete all but part between (and including) -BEGIN CERTIFICATE- and -END CERTIFICATE-



Content of resulting file ~/git-certs/cert.pem may look like this:
-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
EwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCVdvbGZzYnVyZzEYMBYGA1UE
ChMPU2FhUy1TZWN1cmUuY29tMRowGAYDVQQDFBEqLnNhYXMtc2VjdXJlLmNvbTEj
MCEGCSqGSIb3DQEJARYUaW5mb0BzYWFzLXNlY3VyZS5jb20wHhcNMTIwNzAyMTMw
OTA0WhcNMTMwNzAyMTMwOTA0WjCBkzELMAkGA1UEBhMCREUxFTATBgNVBAgTDExv
d2VyIFNheG9ueTESMBAGA1UEBxMJV29sZnNidXJnMRgwFgYDVQQKEw9TYWFTLVNl
Y3VyZS5jb20xGjAYBgNVBAMUESouc2Fhcy1zZWN1cmUuY29tMSMwIQYJKoZIhvcN
AQkBFhRpbmZvQHNhYXMtc2VjdXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMUZ472W3EVFYGSHTgFV0LR2YVE1U//sZimhCKGFBhH3ZfGwqtu7
mzOhlCQef9nqGxgH+U5DG43B6MxDzhoP7R8e1GLbNH3xVqMHqEdcek8jtiJvfj2a
pRSkFTCVJ9i0GYFOQfQYV6RJ4vAunQioiw07OmsxL6C5l3K/r+qJTlStpPK5dv4z
Sy+jmAcQMaIcWv8wgBAxdzo8UVwIL63gLlBz7WfSB2Ti5XBbse/83wyNa5bPJPf1
U+7uLSofz+dehHtgtKfHD8XpPoQBt0Y9ExbLN1ysdR9XfsNfBI5K6Uokq/tVDxNi
SHM4/7uKNo/4b7OP24hvCeXW8oRyRzpyDxMCAwEAATANBgkqhkiG9w0BAQUFAAOC
AQEAp7S/E1ZGCey5Oyn3qwP4q+geQqOhRtaPqdH6ABnqUYHcGYB77GcStQxnqnOZ
MJwIaIZqlz+59taB6U2lG30u3cZ1FITuz+fWXdfELKPWPjDoHkwumkz3zcCVrrtI
ktRzk7AeazHcLEwkUjB5Rm75N9+dOo6Ay89JCcPKb+tNqOszY10y6U3kX3uiSzrJ
ejSq/tRyvMFT1FlJ8tKoZBWbkThevMhx7jk5qsoCpLPmPoYCEoLEtpMYiQnDZgUc
TNoL1GjoDrjgmSen4QN5QZEGTOe/dsv1sGxWC+Tv/VwUl2GqVtKPZdKtGFqI8TLn
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----




Get certificate using your web browser



I use Redmine with Git repositories and I access the same URL for web UI and for git command line access. This way, I had to add exception for that domain into my web browser.



Using Firefox, I went to Options -> Advanced -> Certificates -> View Certificates -> Servers, found there the selfsigned host, selected it and using Export button I got exactly the same file, as created using openssl.



Note: I was a bit surprised, there is no name of the authority visibly mentioned. This is fine.



Having the trusted certificate in dedicated file



Previous steps shall result in having the certificate in some file. It does not matter, what file it is as long as it is visible to your git when accessing that domain. I used ~/git-certs/cert.pem



Note: If you need more trusted selfsigned certificates, put them into the same file:
-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----

This shall work (but I tested it only with single certificate).



Configure git to trust this certificate



$ git config --global http.sslCAInfo /home/javl/git-certs/cert.pem

You may also try to do that system wide, using --system instead of --global.



And test it: You shall now be able communicating with your server without resorting to:
$ git config --global http.sslVerify false #NO NEED TO USE THIS

If you already set your git to ignorance of ssl certificates, unset it:
$ git config --global --unset http.sslVerify

and you may also check, that you did it all correctly, without spelling errors:
$ git config --global --list

what should list all variables, you have set globally. (I mispelled http to htt).


                        
这篇关于配置Git接受特定https远程的特定自签名服务器证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆