From: Edward Ned Harvey <git@nedharvey.com>
To: <git@vger.kernel.org>
Subject: git and SSL certificates
Date: Fri, 24 Feb 2012 14:11:27 -0500 [thread overview]
Message-ID: <000501ccf328$1efe1070$5cfa3150$@nedharvey.com> (raw)
I have a git server hosted on https (github enterprise virtual appliance),
using a valid signed cert from startcom, which passes all the SSL checks for
any browser I use on any OS (IE, Firefox, Safari, Chrome, on Ubuntu, Mac
OSX, MS Win7) but when I connect to it using git, git complains about the
cert, but it's platform dependent, and it doesn't seem to make any sense...
Does git have its own set of SSL trusted root CA's compiled in at build time
or something? It seems weird that it's apparently not using the trusted
root CA's from the OS...
I have not tried re-signing my cert using a different CA. I see github uses
DigiCert. My clients do not complain about SSL cert when cloning from
github.
The test command is, simply:
git clone https://user@server.com/user/project.git
(Obviously, using a real username, a real servername, and a real project
name instead of the line above.)
** On OSX, it works no problem. This is OSX 10.7 Lion, upgraded from 10.6
SL, with 4.1 upgraded from XCode 3.2.6. Git version 1.7.4.4
** On ubuntu, oneiric x86_64, git version 1.7.5.4, it says:
error: server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing
https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
This is annoying, because ... It names the location where it's searching for
the root certificates, so I thought maybe the startcom root CA wasn't in
there, so I went and looked, and confirmed it's there. Compared the actual
pem encoded root ca cert string to the one that signed my server's cert, and
it's definitely there.
On linux, users are able to workaround using GIT_SSL_NO_VERIFY=1, but that
kind of defeats the purpose. I don't want them doing this.
** On Win 7 64bit, tortoisegit 1.6.5.0 based on git 1.7.3.1, it says:
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed while accessing https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
Cloning into C:\workdir
I don't see any way to workaround, but haven't looked very hard for a
windows equivalent of GIT_SSL_NO_VERIFY
** On Win 7 64bit, cygwin git version 1.7.9, it says:
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed while accessing https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
Also, it ignores the presence of GIT_SSL_NO_VERIFY. So there isn't any
known workaround for cygwin.
next reply other threads:[~2012-02-24 19:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-24 19:11 Edward Ned Harvey [this message]
2012-02-24 19:27 ` git and SSL certificates Shawn Pearce
2012-02-24 20:01 ` Edward Ned Harvey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000501ccf328$1efe1070$5cfa3150$@nedharvey.com' \
--to=git@nedharvey.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).