我的回答可能晚了，但对我有用。它可能会帮助某些人。

我尝试了上面提到的步骤，但没有解决问题。

试试这个git配置——global http。sslVerify假

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书。我可以下载这个文件，把它放在/etc/ssl/certs这样的地方，然后做:

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

注意，在这里使用本地git配置(即不使用——global)意味着这个自签名证书只对这个特定的存储库受信任，这很好。它也比使用GIT_SSL_CAPATH更好，因为它消除了git通过不同的证书颁发机构进行验证的风险，这种风险可能会受到损害。

我经常遇到这个问题，所以写了一个脚本从服务器下载自签名证书并将其安装到~/。然后更新git-config以指向这些证书。它存储在全局配置中，因此每个远程只需要运行一次。

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh

Git自签名证书配置

博士tl;

永远不要禁用所有SSL验证! 这造成了一种糟糕的安全文化。不要成为那样的人。

您需要的配置键是:

http。sslverify -始终为真。见上注。

这些用于配置您信任的主机证书

http.sslCAPath http.sslCAInfo

它们用于配置您的证书以响应SSL挑战。

http.sslCert http.sslCertPasswordProtected

选择性地将上述设置应用于特定主机。

http。< url >。*

自签名证书颁发机构的全局.gitconfig

为了我自己和我的同事，本文介绍了如何在不禁用sslVerify的情况下使自签名证书工作。编辑你的.gitconfig，使用gitconfig——global -e添加以下内容:

# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
  username = user.name

  # Uncomment the credential helper that applies to your platform
  # Windows
  # helper = manager

  # OSX
  # helper = osxkeychain

  # Linux (in-memory credential helper)
  # helper = cache

  # Linux (permanent storage credential helper)
  # https://askubuntu.com/a/776335/491772

# Specify the scheme and host as a 'context' that only these settings apply 
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
  ##################################
  # Self Signed Server Certificate #
  ##################################

  # MUST be PEM format
  # Some situations require both the CAPath AND CAInfo 
  sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
  sslCAPath = /path/to/selfCA/
  sslVerify = true

  ###########################################
  # Private Key and Certificate information #
  ###########################################

  # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, 
  # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
  sslCert = /path/to/privatekey/myprivatecert.pem

  # Even if your PEM file is password protected, set this to false.
  # Setting this to true always asks for a password even if you don't have one.
  # When you do have a password, even with this set to false it will prompt anyhow. 
  sslCertPasswordProtected = 0

引用:

Git凭证 Git凭据存储 使用Gnome Keyring作为凭证存储 Git配置http.<url>。* Git v1.8.5支持

在克隆git时指定配置

如果你需要在每次回购的基础上应用它，文档告诉你只需要在你的回购目录中运行git config——local。当你还没有在本地克隆回购时，这是没有用的，不是吗?

你可以做全局->本地hokey-pokey通过设置你的全局配置，然后复制这些设置到你的本地回购配置一旦克隆…

或者，你可以在git克隆时指定配置命令，这些命令在目标repo克隆后应用到目标repo。

# Declare variables to make clone command less verbose     
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"

# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/

一个衬套

编辑:请参阅VonC的回答，其中指出了关于从2.14.x/2.15到这一行的特定git版本的绝对路径和相对路径的警告

git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/

CentOS无法加载客户端密钥

如果你在CentOS上尝试这个，你的。pem文件会给你

unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"

然后你会想要这个StackOverflow关于curl如何使用NSS而不是Open SSL的答案。

你会想要从source重建curl:

git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y

./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install

重新启动计算机，因为libcurl仍然作为共享库存在于内存中

Python, pip和conda

相关:如何将自定义CA根证书添加到Windows中pip使用的CA存储?

我用的是windows电脑，这篇文章对我很有帮助。基本上我打开了ca-bundle。CRT在记事本和添加链证书在它(所有)。这个问题通常发生在公司网络中，我们在系统和git回购之间有中间人。我们需要导出证书链中除了base 64格式的leaf cert之外的所有证书，并将它们全部添加到ca-bundle中。然后为修改后的CRT文件配置git。

您可以像这样添加自签名证书，然后再按…

git config --global http.sslCAInfo "C:\Program Files\Git\usr\ssl\cert.pem"