Menu
I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:
$ git pull fatal: unable to access 'https://[email protected]/git/fizzbuzz.git/': SSL certificate problem: self signed certificate The github remote works fine.
There are two often-suggested solutions:
git config http.sslVerify false which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:
git config http.sslCAInfo <downloaded certificate>.pem which fixes pulling from origin, but break the github remote:
$ git pull github fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate How to make pulling from the corporate server work without breaking pulling from github?
544
Import the self-signed certificate to the client Windows computer. On the Windows computer, start MMC (mmc.exe). Add the Certificates snap-in for the computer account and manage certificates for the local computer. Import the self-signed certificate into Trusted Root Certification Authorities > Certificates.
When using the SSL for non-production applications or other experiments you can use a self-signed SSL certificate. Though the certificate implements full encryption, visitors to your site will see a browser warning indicating that the certificate should not be trusted.
The biggest challenge with self-signed certificates is that security teams often lack visibility over how many they have, where they are installed, who owns them, and how the private key is stored. It's hard enough keeping track of certificates issued by a number of different public and private CAs.
A self-signed certificate is created, signed, and issued by the subject of the certificate (the entity it is issued to), while a CA certificate is created, signed, and issued by a third party called a certificate authority (CA) that is authorized to validate the identity of the applicant.
If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).
In your case:
git config --global http."https://code.example.com/".sslVerify false # # or, if not on default 443 port: # git config --global http."https://code.example.com:<aPort>/".sslVerify false That would disable SSL verification only for code.example.com, not for other URLs.
Or:
git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.
It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
