本文翻译自：How can I make git accept a self signed certificate?

Using Git, is there a way to tell it to accept a self signed certificate? 使用Git，有没有办法告诉它接受自签名证书？

I am using an https server to host a git server but for now the certificate is self signed. 我正在使用https服务器托管git服务器，但目前证书是自签名的。

When I try to create the repo there for the first time: 当我第一次尝试在此处创建存储库时：

git push origin master -f

I get the error: 我收到错误：

error: Cannot access URL
https://the server/git.aspx/PocketReferences/, return code 22fatal: git-http-push failed

#1楼

参考：https://stackoom.com/question/mlLs/如何使git接受自签名证书

#2楼

To permanently accept a specific certificate 永久接受特定证书

Try http.sslCAPath or http.sslCAInfo . 尝试使用http.sslCAPath或http.sslCAInfo 。 Adam Spiers's answer gives some great examples. 亚当·斯皮尔斯（Adam Spiers）的答案提供了一些很好的例子。 This is the most secure solution to the question. 这是最安全的解决方案。

To disable TLS/SSL verification for a single git command 为单个git命令禁用TLS / SSL验证

try passing -c to git with the proper config variable, or use Flow's answer : 尝试使用适当的config变量将-c传递给git ，或使用Flow的答案：

git -c http.sslVerify=false clone https://example.com/path/to/git

To disable SSL verification for a specific repository 禁用特定存储库的SSL验证

If the repository is completely under your control, you can try: 如果存储库完全在您的控制之下，则可以尝试：

git config http.sslVerify false

Disabling TLS(/SSL) certificate verification globally is a terribly insecure practice. 全局禁用TLS（/ SSL）证书验证是一种非常不安全的做法。 Don't do it. 不要这样 Do not issue the above command with a --global modifier. 不要在上面的命令中使用--global修饰符。

There are quite a few SSL configuration options in git . git有很多SSL配置选项。 From the man page of git config : 在git config的手册页中：

http.sslVerifyWhether to verify the SSL certificate when fetching or pushing over HTTPS.Can be overridden by the GIT_SSL_NO_VERIFY environment variable.http.sslCAInfoFile containing the certificates to verify the peer with when fetching or pushingover HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.http.sslCAPathPath containing files with the CA certificates to verify the peer with whenfetching or pushing over HTTPS.Can be overridden by the GIT_SSL_CAPATH environment variable.

A few other useful SSL configuration options: 其他一些有用的SSL配置选项：

http.sslCertFile containing the SSL certificate when fetching or pushing over HTTPS.Can be overridden by the GIT_SSL_CERT environment variable.http.sslKeyFile containing the SSL private key when fetching or pushing over HTTPS.Can be overridden by the GIT_SSL_KEY environment variable.http.sslCertPasswordProtectedEnable git's password prompt for the SSL certificate. Otherwise OpenSSL willprompt the user, possibly many times, if the certificate or private key is encrypted.Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.

#3楼

You can set GIT_SSL_NO_VERIFY to true : 您可以将GIT_SSL_NO_VERIFY设置为true ：

GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git

or alternatively configure Git not to verify the connection on the command line: 或另选配置Git不在命令行上验证连接：

git -c http.sslVerify=false clone https://example.com/path/to/git

Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks . 请注意，如果您不验证SSL / TLS证书，则容易受到MitM攻击。

#4楼

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. 我不是现有答案的[编辑：原始版本]的忠实拥护者，因为禁用安全检查应该是不得已的方法，而不是第一个提供的解决方案。 Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. 即使没有某些其他验证方法也无法信任首次签收的自签名证书，但将证书用于后续git操作至少会大大降低仅在下载证书后才发生的攻击的难度。 In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. 换句话说，如果您下载的证书是真实的，那么从那时起您就可以了。 In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point . 相反，如果你简单地禁用验证，那么你敞开，以在任何时候任何中间人攻击的。

To give a specific example: the famous repo.or.cz repository provides a self-signed certificate . 举一个具体的例子：著名的repo.or.cz存储库提供了一个自签名证书。 I can download that file, place it somewhere like /etc/ssl/certs , and then do: 我可以下载该文件，将其放在/etc/ssl/certs ，然后执行以下操作：

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \git clone https://repo.or.cz/org-mode.git# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

Note that using local git config here (ie without --global ) means that this self-signed certificate is only trusted for this particular repository, which is nice. 请注意，在此处使用本地git config （即不使用--global ）意味着仅该特定存储库信任此自签名证书，这很好。 It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised. 它比使用GIT_SSL_CAPATH更好，因为它消除了git通过不同的证书颁发机构进行验证的风险，这可能会受到威胁。

#5楼

I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. 我一直遇到这个问题，因此编写了一个脚本来从服务器下载自签名证书并将其安装到〜/ .gitcerts，然后更新git-config指向这些证书。 It is stored in global config, so you only need to run it once per remote. 它存储在全局配置中，因此每个远程只需要运行一次。

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh

#6楼

Git Self-Signed Certificate Configuration Git自签名证书配置

tl;dr tl; dr

NEVER disable all SSL verification! 切勿禁用所有SSL验证！

This creates a bad security culture. 这造成了不良的安全文化。 Don't be that person. 不要做那个人。

The config keys you are after are: 您需要的配置键是：

http.sslverify - Always true. http.sslverify始终为true。 See above note. 请参阅上面的注释。

These are for configuring host certificates you trust 这些用于配置您信任的主机证书

http.sslCAPath
http.sslCAInfo

These are for configuring YOUR certificate to respond to SSL challenges. 这些用于配置您的证书以响应SSL挑战。

http.sslCert
http.sslCertPasswordProtected

Selectively apply the above settings to specific hosts. 有选择地将上述设置应用于特定主机。

http.<url>.*

Global `.gitconfig` for Self-Signed Certificate Authorities 自签名证书颁发机构的全局`.gitconfig`

For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify . 就我自己和我的同事而言，这就是我们如何在不禁用sslVerify情况下使自签名证书起作用的sslVerify 。 Edit your .gitconfig to using git config --global -e add these: 编辑您的.gitconfig以使用git config --global -e添加以下内容：

# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]username = user.name# Uncomment the credential helper that applies to your platform# Windows# helper = manager# OSX# helper = osxkeychain# Linux (in-memory credential helper)# helper = cache# Linux (permanent storage credential helper)# https://askubuntu.com/a/776335/491772# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]################################### Self Signed Server Certificate #################################### MUST be PEM format# Some situations require both the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crtsslCAPath = /path/to/selfCA/sslVerify = true############################################ Private Key and Certificate information ############################################# Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.sslCert = /path/to/privatekey/myprivatecert.pem# Even if your PEM file is password protected, set this to false.# Setting this to true always asks for a password even if you don't have one.# When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0

References: 参考文献：

Git Credentials Git凭证
Git Credential Store Git凭证存储
Using Gnome Keyring as credential store 使用Gnome密钥环作为凭据存储
Git Config http.<url>.* Supported from Git v1.8.5 Git Config http。<URL>。*受Git v1.8.5支持

Specify config when `git clone` -ing `git clone` -ing时指定配置

If you need to apply it on a per repo basis, the documentation tells you to just run git config --local in your repo directory. 如果您需要在每个回购基础上应用它，文档会告诉您只需在回购目录中运行git config --local 。 Well that's not useful when you haven't got the repo cloned locally yet now is it? 那么，当您还没有在本地克隆存储库时，这没有用吗？

You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones... 您可以通过如上所述设置全局配置来执行global- global -> local hokey-pokey，然后在克隆后将这些设置复制到本地repo配置中。

OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned. 或者，您可以做的是在git clone中指定配置命令，该命令将在git clone到目标存储库后应用。

# Declare variables to make clone command less verbose
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/

One Liner 一线

EDIT: See VonC 's answer that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner 编辑：请参阅VonC的答案，该警告指出了有关从2.14.x / 2.15到此衬垫的特定git版本的绝对和相对路径的警告

git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/

CentOS `unable to load client key` CentOS `unable to load client key`

If you are trying this on CentOS and your .pem file is giving you 如果您在CentOS上尝试此操作，并且.pem文件给您

unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"

Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL. 然后，您将需要此StackOverflow答案，以了解curl如何使用NSS而不是Open SSL。

And you'll like want to rebuild curl from source : 而且您想要从源代码重建curl ：

git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install

restart computer since libcurl is still in memory as a shared library 重新启动计算机，因为libcurl仍作为共享库在内存中

Python, pip and conda Python，pip和conda

Related : How to add a custom CA Root certificate to the CA Store used by pip in Windows? 相关：如何将自定义CA Root证书添加到Windows中pip使用的CA Store？

如何使git接受自签名证书？相关推荐

使Chrome接受自签名的本地主机证书
我已经为本地主机CN创建了一个自签名SSL证书. 如预期的那样,Firefox在最初抱怨它之后接受了该证书. 但是,即使将证书添加到"受信任的根"下的系统证书存储中,Chrome和 ...
解决：Unable to clone Git repository due to self signed certificate（由于自签名证书，无法克隆Git存储库）的问题
Unable to clone Git repository due to self signed certificate 今天准备将自己做的项目上传到github上,在克隆repository到本 ...
java okhttp https_OkHttp是否支持接受自签名SSL证书？
从我们的应用程序获取OkHttpClient 3.0实例的两种方法,这些实例可以从密钥库中识别您的自签名证书(使用Android项目"原始"资源文件夹中准备好的pkcs12证书文件 ...
iOS 用自签名证书实现 HTTPS 请求的原理实例讲解
在16年的WWDC中,Apple已表示将从2017年1月1日起,所有新提交的App必须强制性应用HTTPS协议来进行网络请求.默认情况下非HTTPS的网络访问是禁止的并且不能再通过简单粗暴的向Info ...
全面剖析VeriSign代码签名证书
本文档由维瑞技术中心提供:VeriSign代码签名 www.willrey.com 什么是代码签名?我为什么需要代码签名证书? 用户在线下载应用程序.安装插件附件.与复杂的网络应用程序交互时,出于安 ...
iOS 用自签名证书实现 HTTPS 请求的原理
在16年的WWDC中,Apple已表示将从2017年1月1日起,所有新提交的App必须强制性应用HTTPS协议来进行网络请求.默认情况下非HTTPS的网络访问是禁止的并且不能再通过简单粗暴的向Info ...
余承东：华为技术走在产业前列，别人想超越很难；理想销量夺冠后，员工不满年终奖打折；黑客窃取GitHub代码签名证书|极客头条
「极客头条」-- 技术人员的新闻圈! CSDN 的读者朋友们早上好哇,「极客头条」来啦,快来看今天都有哪些值得我们技术人关注的重要新闻吧. 整理 | 梦依丹出品 | CSDN(ID:CSDNnews ...
iOS: HTTPS 与自签名证书
不是每个公司都会以数百美金一年的代价向CA购买SSL证书.在企业应用中,付费的SSL证书经常被自签名证书所替代.当然,对于自签名证书iOS是没有能力验证的.Safari遇到这种无法验证的自签名证书的唯 ...
代码签名证书的时间戳验证码签名方法
以下实现的时间戳的反签名方法允许在代码签名证书过期或吊销后进行签名验证. 时间戳[1]使验证程序能够可靠地知道签名所贴的时间,从而信任签名(如果签名在当时有效). 时间戳器应具有可靠且受保护的时间源. ...

如何使git接受自签名证书？

#1楼

#2楼

To permanently accept a specific certificate 永久接受特定证书

To disable TLS/SSL verification for a single git command 为单个git命令禁用TLS / SSL验证

To disable SSL verification for a specific repository 禁用特定存储库的SSL验证

#3楼

#4楼

#5楼

#6楼

Git Self-Signed Certificate Configuration Git自签名证书配置

tl;dr tl; dr

Global `.gitconfig` for Self-Signed Certificate Authorities 自签名证书颁发机构的全局`.gitconfig`

Specify config when `git clone` -ing `git clone` -ing时指定配置

One Liner 一线

CentOS `unable to load client key` CentOS `unable to load client key`

Python, pip and conda Python，pip和conda

如何使git接受自签名证书？相关推荐

最新文章

热门文章

如何使git接受自签名证书？

#1楼

#2楼

To permanently accept a specific certificate 永久接受特定证书

To disable TLS/SSL verification for a single git command 为单个git命令禁用TLS / SSL验证

To disable SSL verification for a specific repository 禁用特定存储库的SSL验证

#3楼

#4楼

#5楼

#6楼

Git Self-Signed Certificate Configuration Git自签名证书配置

tl;dr tl; dr

Global .gitconfig for Self-Signed Certificate Authorities 自签名证书颁发机构的全局.gitconfig

Specify config when git clone -ing git clone -ing时指定配置

One Liner 一线

CentOS unable to load client key CentOS unable to load client key

Python, pip and conda Python，pip和conda

如何使git接受自签名证书？相关推荐

最新文章

热门文章

Global `.gitconfig` for Self-Signed Certificate Authorities 自签名证书颁发机构的全局`.gitconfig`

Specify config when `git clone` -ing `git clone` -ing时指定配置

CentOS `unable to load client key` CentOS `unable to load client key`