git이 자체 서명 된 인증서를 수락하도록하려면 어떻게해야합니까?
Git을 사용하여 자체 서명 된 인증서를 수락하도록 지시하는 방법이 있습니까?
https 서버를 사용하여 git 서버를 호스팅하고 있지만 지금은 인증서가 자체 서명되었습니다.
처음으로 저장소를 만들려고 할 때 :
git push origin master -f
오류가 발생합니다.
error: Cannot access URL
https://the server/git.aspx/PocketReferences/, return code 22
fatal: git-http-push failed
특정 인증서를 영구적으로 수락하려면
시도 http.sslCAPath나 http.sslCAInfo. Adam Spiers의 답변 은 몇 가지 훌륭한 예를 제공합니다. 이것은 질문에 대한 가장 안전한 해결책입니다.
단일 git 명령에 대해 TLS / SSL 확인을 비활성화하려면
통과 시도 -c에 git적절한 설정 변수로, 또는 사용 유량의 답변을 :
git -c http.sslVerify=false clone https://example.com/path/to/git
특정 저장소에 대한 SSL 확인을 비활성화하려면
저장소가 완전히 제어되는 경우 다음을 시도 할 수 있습니다.
git config http.sslVerify false
TLS (/ SSL) 인증서 확인을 전역 적으로 비활성화하는 것은 매우 안전하지 않은 관행입니다. 하지마. --global수정 자 와 함께 위의 명령을 실행하지 마십시오 .
에는 몇 가지 SSL 구성 옵션이 git있습니다. 의 man 페이지에서 git config:
http.sslVerify
Whether to verify the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_NO_VERIFY environment variable.
http.sslCAInfo
File containing the certificates to verify the peer with when fetching or pushing
over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.
http.sslCAPath
Path containing files with the CA certificates to verify the peer with when
fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CAPATH environment variable.
몇 가지 다른 유용한 SSL 구성 옵션 :
http.sslCert
File containing the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CERT environment variable.
http.sslKey
File containing the SSL private key when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_KEY environment variable.
http.sslCertPasswordProtected
Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
prompt the user, possibly many times, if the certificate or private key is encrypted.
Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.
다음 GIT_SSL_NO_VERIFY으로 설정할 수 있습니다 true.
GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git
또는 명령 줄에서 연결을 확인하지 않도록 Git을 구성합니다.
git -c http.sslVerify=false clone https://example.com/path/to/git
SSL / TLS 인증서를 확인하지 않으면 MitM 공격에 취약합니다 .
보안 검사를 비활성화하는 것은 제공되는 첫 번째 솔루션이 아니라 최후의 수단이되어야하므로 기존 답변 의 [편집 : 원본 버전]을 좋아하지 않습니다. 몇 가지 추가 확인 방법 없이는 첫 번째 수신시 자체 서명 된 인증서를 신뢰할 수 없지만 후속 git작업에 인증서를 사용하면 인증서를 다운로드 한 후에 만 발생하는 공격에 대비하기가 훨씬 더 어려워집니다 . 즉, 다운로드 한 인증서 가 정품이면 그 시점부터 좋은 것입니다. 대조적으로, 단순히 확인을 비활성화하면 모든 종류의 중간자 (man-in-the-middle) 공격 을받을 수 있습니다 .
구체적인 예를 들어 보자 : 유명한 repo.or.cz저장소는 자체 서명 된 인증서를 제공 합니다 . 해당 파일을 다운로드 /etc/ssl/certs하여 다음과 같은 위치에 배치 할 수 있습니다 .
# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/org-mode.git
# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
git config여기서 local을 사용 하면 (즉,없이 --global)이 자체 서명 된 인증서가이 특정 저장소에 대해서만 신뢰된다는 것을 의미합니다. 또한 잠재적으로 손상 될 수있는 다른 인증 기관을 통해 확인을 수행 할 GIT_SSL_CAPATH위험을 제거하므로 사용하는 것보다 더 좋습니다 git.
Git 자체 서명 된 인증서 구성
tl; dr
모든 SSL 확인을 비활성화하지 마십시오!
이것은 나쁜 보안 문화를 만듭니다. 그 사람이되지 마십시오.
뒤에있는 구성 키는 다음과 같습니다.
http.sslverify-항상 사실입니다. 위의 참고를 참조하십시오.
신뢰할 수있는 호스트 인증서를 구성하기위한 것입니다.
SSL 문제에 응답하도록 인증서를 구성하기위한 것입니다.
위의 설정을 특정 호스트에 선택적으로 적용합니다.
.gitconfig자체 서명 된 인증 기관을위한 글로벌
저와 제 동료를 위해 .NET을 비활성화하지 않고 자체 서명 된 인증서가 작동하도록 관리하는 방법이 여기에 있습니다 sslVerify. 다음.gitconfig 을 git config --global -e추가 하여 편집하십시오 .
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
username = user.name
# Uncomment the credential helper that applies to your platform
# Windows
# helper = manager
# OSX
# helper = osxkeychain
# Linux (in-memory credential helper)
# helper = cache
# Linux (permanent storage credential helper)
# https://askubuntu.com/a/776335/491772
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
##################################
# Self Signed Server Certificate #
##################################
# MUST be PEM format
# Some situations require both the CAPath AND CAInfo
sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
sslCAPath = /path/to/selfCA/
sslVerify = true
###########################################
# Private Key and Certificate information #
###########################################
# Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE,
# not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
sslCert = /path/to/privatekey/myprivatecert.pem
# Even if your PEM file is password protected, set this to false.
# Setting this to true always asks for a password even if you don't have one.
# When you do have a password, even with this set to false it will prompt anyhow.
sslCertPasswordProtected = 0
참조 :
git clone-ing 때 구성 지정
repo 단위로 적용해야하는 경우 문서는 git config --localrepo 디렉토리에서 실행하라고 지시합니다 . 리포지토리를 로컬로 아직 복제하지 않은 경우 유용하지 않습니다.
You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones...
OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned.
# Declare variables to make clone command less verbose
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"
# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
One Liner
EDIT: See VonC's answer that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner
git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/
CentOS unable to load client key
If you are trying this on CentOS and your .pem file is giving you
unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"
Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL.
And you'll like want to rebuild curl from source:
git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y
./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install
restart computer since libcurl is still in memory as a shared library
Python, pip and conda
Related: How to add a custom CA Root certificate to the CA Store used by pip in Windows?
I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. It is stored in global config, so you only need to run it once per remote.
https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh
This answer is excerpted from this article authored by Michael Kauffman.
Use Git for Windows with a corporate SSL certificate
Issue:
If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:
fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate
Solution:
Export the root self-signed Certificate to a file. You can do this from within your browser.
Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.
Now we have to configure git to use the new file:
git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt
This will add the following entry to your .gitconfig file in the root of your user profile.
[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt
Using 64bit version of Git on Windows, just add the self signed CA certificate into these files :
- C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
- C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.trust.crt
If it is just a server self signed certificate add it into
- C:\Program Files\Git\mingw64\ssl\cert.pem
Check your antivirus and firewall settings.
From one day to the other, git did not work anymore. With what is described above, I found that Kaspersky puts a self-signed Anti-virus personal root certificate in the middle. I did not manage to let Git accept that certificate following the instructions above. I gave up on that. What works for me is to disable the feature to Scan encrypted connections.
- Open Kaspersky
- Settings > Additional > Network > Do not scan encrypted connections
After this, git works again with sslVerify enabled.
Note. This is still not satisfying for me, because I would like to have that feature of my Anti-Virus active. In the advanced settings, Kaspersky shows a list of websites that will not work with that feature. Github is not listed as one of them. I will check it at the Kaspersky forum. There seem to be some topics, e.g. https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211
Be careful when you are using one liner using sslKey or sslCert, as in Josh Peak's answer:
git clone -c http.sslCAPath="/path/to/selfCA" \
-c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" \
-c http.sslVerify=1 \
-c http.sslCert="/path/to/privatekey/myprivatecert.pem" \
-c http.sslCertPasswordProtected=0 \
https://mygit.server.com/projects/myproject.git myproject
Only Git 2.14.x/2.15 (Q3 2015) would be able to interpret a path like ~username/mykey correctly (while it still can interpret an absolute path like /path/to/privatekey).
See commit 8d15496 (20 Jul 2017) by Junio C Hamano (gitster).
Helped-by: Charles Bailey (hashpling).
(Merged by Junio C Hamano -- gitster -- in commit 17b1e1d, 11 Aug 2017)
http.c:http.sslcertandhttp.sslkeyare both pathnamesBack when the modern http_options() codepath was created to parse various http.* options at 29508e1 ("Isolate shared HTTP request functionality", 2005-11-18, Git 0.99.9k), and then later was corrected for interation between the multiple configuration files in 7059cd9 ("
http_init(): Fix config file parsing", 2009-03-09, Git 1.6.3-rc0), we parsed configuration variables likehttp.sslkey,http.sslcertas plain vanilla strings, becausegit_config_pathname()that understands "~[username]/" prefix did not exist.Later, we converted some of them (namely,
http.sslCAPathandhttp.sslCAInfo) to use the function, and added variables likehttp.cookeyFilehttp.pinnedpubkeyto use the function from the beginning. Because of that, these variables all understand "~[username]/" prefix.Make the remaining two variables,
http.sslcertandhttp.sslkey, also aware of the convention, as they are both clearly pathnames to files.
I do it like this:
git init
git config --global http.sslVerify false
git clone https://myurl/myrepo.git
In the .gitconfig file you can add the below given value to make the self signed cert acceptable
sslCAInfo = /home/XXXX/abc.crt
My answer may be late but it worked for me. It may help somebody.
I tried above mentioned steps and that didn't solved the issue.
try thisgit config --global http.sslVerify false
On Windows this worked for me:
Add the content of your self signed certificate to the end of the ca-bundle file. Including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
The location of the ca-bundle file is usually C:\Program Files\Git\mingw64\ssl\certs
Afterwards, add the path of the ca-bundle file to the global git config. The following command does the trick: git config --global http.sslCAInfo "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt"
Remark: The Path depends on your local path of the ca-bundle file!
I use a windows machine and this article helped me. Basically I opened ca-bundle.crt in notepad and added chain certificates in it (all of them). This issue usually happens for company networks where we have middle men sitting between system and git repo. We need to export all of the certs in cert chain except leaf cert in base 64 format and add all of them to ca-bundle.crt and then configure git for this modified crt file.
참고URL : https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate
'programing tip' 카테고리의 다른 글
| 지점이 추적하는 원격을 변경하는 방법은 무엇입니까? (0) | 2020.10.03 |
|---|---|
| Builder Design 패턴과 Factory Design 패턴의 차이점은 무엇입니까? (0) | 2020.10.03 |
| MySQL에서 외래 키 제약 조건을 일시적으로 비활성화하는 방법은 무엇입니까? (0) | 2020.10.03 |
| 부호없는 정수 곱하기 오버플로를 어떻게 감지합니까? (0) | 2020.10.03 |
| Android 개발에 Java 8을 사용할 수 있습니까? (0) | 2020.10.03 |