Howto setup-git-server-over-http.txt with SSL and basic authentication?

[Josef Wolf <jw@raven.inka.de>]

Hello folks,

I am new to git and I am trying to set up a git repository as described in

  http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt

but with SSL and basic authentication.

This is what I have done:

1. Create bare git repository on the server:

     root: mkdir -p /data/git/test
     root: ( cd /data/git/test ; git --bare init )
     root: chown -R wwwrun:www /data/git

2. Add a new DAV location to the (existing and already working) apache
   config, pointing to the newly created git repository.  I list only
   the relevant parts here:

     LoadModule dav_svn_module /usr/lib/apache2/mod_dav_svn.so
     LoadModule dav_fs_module /usr/lib/apache2/mod_dav_fs.so
     DAVLockDB "/data/dav/lock/DAV.lock"

     Alias /git/test /data/git/test
     <Location /git/test>
       DAV on
       Order           Allow,Deny
       Allow           from all
       AllowOverride   None
       AuthName        "test"
       AuthType        Basic
       AuthUserFile    /m/b/httpd/passwd
       AuthGroupFile   /m/b/httpd/group
       Require         group test test-ro
       SSLRequireSSL
       <LimitExcept GET PROPFIND OPTIONS REPORT>
         Require group test
       </LimitExcept>
     </Location>

3. Now it's time to test DAV access, so I go to the client:

     konqueror webdavs://repo.host.org/git/test

   After asking for credentials, Konqueror shows me content, and I can
   read/copy/delete files to/from the DAV directory.  So the server
   seems to work fine.
   Now I go test curl:

     $ curl --cacert /etc/cacerts/myca.pem \
            https://user@repo.host.org/git/test/HEAD

   fails with "authentication required", but

     $ curl --cacert /etc/cacerts/myca.pem --user user \
            https://user@repo.host.org/git/test/HEAD

   works fine.  So I put this information into ~/.curlrc:

     $ cat ~/.curlrc
     --cacert /etc/cacerts/myca.pem
     --user   user
     $ curl https://repo.host.org/git/test/HEAD
     Enter host password for user 'user':
     ref: refs/heads/master
     $

   this looks good now.

4. OK, now I go to the next step on the client:

     $ git-config remote.upload.url https://repo.host.org/git/test/
     error: could not lock config file .git/config
     $

   hmm, maybe I should have an empty repos here?  So:

     $ git init
     Initialized empty Git repository in /tmp/test/.git/
     $ git-config remote.upload.url https://repo.host.org/git/test/
     $ git push upload master
     error: Cannot access URL https://repo.host.org/git/test/, return code 60
     error: failed to push some refs to 'https://repo.host.org/git/test/'

   OK, from the above mentioned howto, this looks like cacert is missing.
   Looks like (unlike the howto states) ~/.curlrc is ignored by git.
   So I go searching for appropriate configuration options in git:

     $ git-config http.sslCAPath /etc/cacerts

   don't help (why?), but 

     $ git-config http.sslCAInfo /etc/cacerts/myca.pem
     $ git push upload master
     error: Cannot access URL https://repo.host.org/git/test/, return code 22
     error: failed to push some refs to 'https://repo.host.org/git/test/'

   Finally, that's a new error code.  This is probably because the server
   requires authentication.  But I can't find any hints how to specify
   credentials in git-config or git-push.

So now come my questions:

0. The howto says curl is used for transport. Why is my ~/.curlrc ignored?
1. Since .curlrc is ignored: How do I specify credentials for git?
2. Why don't sslCAPath work?
3. Is there a way to override credentials and sslCAPath on a per-remote
   basis (as can be done with http.proxy, for example)

Any hints?