我可以通过使用ssh的克隆项目推送,但它不工作时,我克隆项目与https。

它显示的错误信息是:

server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none

当前回答

最后更新:2021年9月30日|参见所有文档

一个平台是否能够验证Let’s Encrypt证书的主要决定因素是该平台是否信任ISRG的“ISRG Root X1”证书。在2021年9月之前,一些平台可以验证我们的证书,即使他们不包括ISRG根X1,因为他们信任IdenTrust的“DST根CA X3”证书。从2021年10月起,只有那些信任ISRG Root X1的平台才会验证Let’s Encrypt证书(Android除外)。

当前系统

如果你的系统是最新的,但由于某种原因自动更新不起作用,应该有足够的:

apt update
apt upgrade
sudo dpkg-reconfigure ca-certificates

在reconfigure阶段,取消选择“DST根CA X3”证书

过时的系统

要解决,在旧的Linux服务器上,如Ubuntu 16或Debian 8 jessie,需要几个步骤:

upgrade openssl to anything >=1.0.2 On Debian jessie enable backports source, add this line to sources.list: deb http://archive.debian.org/debian jessie-backports main contrib non-free and do apt-get install -t jessie-backports openssl ensure security updates for ca-certificates package apt upgrade download latest LetsEncrypt root CA certs: sudo curl -k https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt sudo dpkg-reconfigure ca-certificates during reconfigure stage, please deselect "DST Root CA X3" certificate

在这些步骤之后,apt update应该适用于基于LetsEncrypt的源代码,wget和curl应该不会抱怨。

特别注意curl -k允许连接“不安全”的SSL服务器,因为LetsEncrypt证书不受信任。

其他回答

在做其他事情之前,检查是否有一个正在运行的代理,比如可以暂时关闭的Zscaler。然后检查你的日期,如上所述。

最后,添加http。Sslverify到你的.git/config。

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://server/user/project.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
[http]
        sslVerify = false

我知道这是旧的,但有时错误再次弹出。如果您确信可以信任本地安装,那么只需在变量部分中添加:GIT_SSL_NO_VERIFY: "true"。通过这种方式,您只需禁用证书验证。

此解决方案与本文提出的解决方案类似,但它仅适用于当前git树,而不适用于全局git配置。

我遇到了詹金斯的问题。当我更新证书时,我开始面临这个错误。

stderr fatal: unable to access server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt

所以我已经在下面的文件中添加了我的新证书:

/etc/ssl/certs/ca-certificates.crt

该文件的内容如下所示:

-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----

只要在底部附上你的证书:

-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----

我搞砸了我的CA文件,而我设置goagent代理。不能从github拉数据,并得到相同的警告:

服务器证书验证失败。CAfile: /etc/ssl/certs/ca-certificates。crt CRLfile:无

使用Vonc的方法,从github获取证书,并将其放入/etc/ssl/certs/ca-certificates。Crt,问题解决了。

echo -n | openssl s_client -showcerts -connect github.com:443 2>/dev/null | sed -ne '/- begin CERTIFICATE-/,/- end CERTIFICATE-/p'