* git and SSL certificates
@ 2012-02-24 19:11 Edward Ned Harvey
2012-02-24 19:27 ` Shawn Pearce
0 siblings, 1 reply; 3+ messages in thread
From: Edward Ned Harvey @ 2012-02-24 19:11 UTC (permalink / raw)
To: git
I have a git server hosted on https (github enterprise virtual appliance),
using a valid signed cert from startcom, which passes all the SSL checks for
any browser I use on any OS (IE, Firefox, Safari, Chrome, on Ubuntu, Mac
OSX, MS Win7) but when I connect to it using git, git complains about the
cert, but it's platform dependent, and it doesn't seem to make any sense...
Does git have its own set of SSL trusted root CA's compiled in at build time
or something? It seems weird that it's apparently not using the trusted
root CA's from the OS...
I have not tried re-signing my cert using a different CA. I see github uses
DigiCert. My clients do not complain about SSL cert when cloning from
github.
The test command is, simply:
git clone https://user@server.com/user/project.git
(Obviously, using a real username, a real servername, and a real project
name instead of the line above.)
** On OSX, it works no problem. This is OSX 10.7 Lion, upgraded from 10.6
SL, with 4.1 upgraded from XCode 3.2.6. Git version 1.7.4.4
** On ubuntu, oneiric x86_64, git version 1.7.5.4, it says:
error: server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing
https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
This is annoying, because ... It names the location where it's searching for
the root certificates, so I thought maybe the startcom root CA wasn't in
there, so I went and looked, and confirmed it's there. Compared the actual
pem encoded root ca cert string to the one that signed my server's cert, and
it's definitely there.
On linux, users are able to workaround using GIT_SSL_NO_VERIFY=1, but that
kind of defeats the purpose. I don't want them doing this.
** On Win 7 64bit, tortoisegit 1.6.5.0 based on git 1.7.3.1, it says:
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed while accessing https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
Cloning into C:\workdir
I don't see any way to workaround, but haven't looked very hard for a
windows equivalent of GIT_SSL_NO_VERIFY
** On Win 7 64bit, cygwin git version 1.7.9, it says:
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed while accessing https://user@server.com/user/project.git/info/refs
fatal: HTTP request failed
Also, it ignores the presence of GIT_SSL_NO_VERIFY. So there isn't any
known workaround for cygwin.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: git and SSL certificates
2012-02-24 19:11 git and SSL certificates Edward Ned Harvey
@ 2012-02-24 19:27 ` Shawn Pearce
2012-02-24 20:01 ` Edward Ned Harvey
0 siblings, 1 reply; 3+ messages in thread
From: Shawn Pearce @ 2012-02-24 19:27 UTC (permalink / raw)
To: Edward Ned Harvey; +Cc: git
On Fri, Feb 24, 2012 at 11:11, Edward Ned Harvey <git@nedharvey.com> wrote:
> I have a git server hosted on https (github enterprise virtual appliance),
> using a valid signed cert from startcom, which passes all the SSL checks for
> any browser I use on any OS (IE, Firefox, Safari, Chrome, on Ubuntu, Mac
> OSX, MS Win7) but when I connect to it using git, git complains about the
> cert, but it's platform dependent, and it doesn't seem to make any sense...
> Does git have its own set of SSL trusted root CA's compiled in at build time
> or something? It seems weird that it's apparently not using the trusted
> root CA's from the OS...
Nope. Git uses the system's libcurl, which is probably using the
system's libssl or libgnutls, which is using the system's
certificates.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: git and SSL certificates
2012-02-24 19:27 ` Shawn Pearce
@ 2012-02-24 20:01 ` Edward Ned Harvey
0 siblings, 0 replies; 3+ messages in thread
From: Edward Ned Harvey @ 2012-02-24 20:01 UTC (permalink / raw)
To: 'Shawn Pearce'; +Cc: git
> From: Shawn Pearce [mailto:spearce@spearce.org]
> Sent: Friday, February 24, 2012 2:27 PM
>
> Nope. Git uses the system's libcurl, which is probably using the
> system's libssl or libgnutls, which is using the system's
> certificates.
Thanks, this gives me more fuel to go on, because now I know I can reproduce
the problem using any other tool I want - curl for example. Where I'm able
to specify -v for verbose, and get its cert search path.
It's still really bizarre, because the Startcom root CA is indeed present in
the search path, and it is indeed the same root CA that was used to sign my
server cert. So now I'll go ask startcom what they think about it...
If anyone is interested, please say so, and I'll report back here.
Otherwise, I'll probably just let the thread die.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-02-24 20:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-24 19:11 git and SSL certificates Edward Ned Harvey
2012-02-24 19:27 ` Shawn Pearce
2012-02-24 20:01 ` Edward Ned Harvey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).