使用Git,是否有一种方法告诉它接受自签名证书?
我使用https服务器托管git服务器,但目前证书是自签名的。
当我第一次尝试在那里创建回购时:
git push origin master -f
我得到了错误:
error: Cannot access URL
https://the server/git.aspx/PocketReferences/, return code 22
fatal: git-http-push failed
当前回答
I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.
举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书。我可以下载这个文件,把它放在/etc/ssl/certs这样的地方,然后做:
# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/org-mode.git
# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
注意,在这里使用本地git配置(即不使用——global)意味着这个自签名证书只对这个特定的存储库受信任,这很好。它也比使用GIT_SSL_CAPATH更好,因为它消除了git通过不同的证书颁发机构进行验证的风险,这种风险可能会受到损害。
其他回答
我经常遇到这个问题,所以写了一个脚本从服务器下载自签名证书并将其安装到~/。然后更新git-config以指向这些证书。它存储在全局配置中,因此每个远程只需要运行一次。
https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh
在.gitconfig文件中,您可以添加以下给定值,以使自签名证书可接受
sslCAInfo = /home/XXXX/abc.crt
I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.
举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书。我可以下载这个文件,把它放在/etc/ssl/certs这样的地方,然后做:
# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/org-mode.git
# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
注意,在这里使用本地git配置(即不使用——global)意味着这个自签名证书只对这个特定的存储库受信任,这很好。它也比使用GIT_SSL_CAPATH更好,因为它消除了git通过不同的证书颁发机构进行验证的风险,这种风险可能会受到损害。
在Windows上使用64位版本的Git,只需将自签名CA证书添加到这些文件中:
C:\Program Files\Git\mingw64\ssl\certs\ ca-bundle.crt C:\Program Files\Git\mingw64\ssl\certs\ ca-bundle.trust.crt
如果它只是一个服务器自签名证书,请将其添加到
C:\Program Files\Git\mingw64\ssl\cert.pem
它为我工作,只需运行以下命令
git config --global http.sslVerify false
它将打开一个git凭据窗口,提供您的凭据。第一次只有它问
