- 1如何在jsp登录页面添加图片验证码(利用action)_jsp网站 图片码
- 2Skywalking使用篇(二):告警配置_skywalking告警配置
- 312篇顶会论文,深度学习时间序列预测经典方案汇总
- 4英文论文(sci)解读复现【NO.15】学习聚合多尺度背景的实例分割在遥感图像_空间上下文金字塔scp
- 5springboot+mybatis整合,实现增删改查_springboot整合mybatis实现增删改查
- 6Bearpi开发板之HarmonyOS任务管理_鸿蒙线程的等待事件标志时
- 7Android知识体系总结之Android部分之Android系统版本特性篇_android4.4 android9.0特性对比分析
- 82021GPLT天梯赛 L1L2题解_gplt题解
- 9二叉树及其应用_任务描述 本关任务:给出一棵二叉树的括号表示法,本题要求实现3个函数,根据给出的
- 10GPT4.0:探索下一代自然语言处理技术_gpt4.0 csdn
如何使git接受自签名证书?_the certificate is self-signed
赞
踩
本文翻译自:How can I make git accept a self signed certificate?
Using Git, is there a way to tell it to accept a self signed certificate? 使用Git,有没有办法告诉它接受自签名证书?
I am using an https server to host a git server but for now the certificate is self signed. 我正在使用https服务器托管git服务器,但目前证书是自签名的。
When I try to create the repo there for the first time: 当我第一次尝试在此处创建存储库时:
git push origin master -f
I get the error: 我收到错误:
- error: Cannot access URL
- https://the server/git.aspx/PocketReferences/, return code 22
-
- fatal: git-http-push failed
#1楼
参考:https://stackoom.com/question/mlLs/如何使git接受自签名证书
#2楼
To permanently accept a specific certificate 永久接受特定证书
Try http.sslCAPath or http.sslCAInfo . 尝试使用http.sslCAPath或http.sslCAInfo 。 Adam Spiers's answer gives some great examples. 亚当·斯皮尔斯(Adam Spiers)的答案提供了一些很好的例子。 This is the most secure solution to the question. 这是最安全的解决方案。
To disable TLS/SSL verification for a single git command 为单个git命令禁用TLS / SSL验证
try passing -c to git with the proper config variable, or use Flow's answer : 尝试使用适当的config变量将-c传递给git ,或使用Flow的答案 :
git -c http.sslVerify=false clone https://example.com/path/to/git
To disable SSL verification for a specific repository 禁用特定存储库的SSL验证
If the repository is completely under your control, you can try: 如果存储库完全在您的控制之下,则可以尝试:
git config http.sslVerify false
Disabling TLS(/SSL) certificate verification globally is a terribly insecure practice. 全局禁用TLS(/ SSL)证书验证是一种非常不安全的做法。 Don't do it. 不要这样 Do not issue the above command with a --global modifier. 不要在上面的命令中使用--global修饰符。
There are quite a few SSL configuration options in git . git有很多SSL配置选项。 From the man page of git config : 在git config的手册页中:
- http.sslVerify
- Whether to verify the SSL certificate when fetching or pushing over HTTPS.
- Can be overridden by the GIT_SSL_NO_VERIFY environment variable.
-
- http.sslCAInfo
- File containing the certificates to verify the peer with when fetching or pushing
- over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.
-
- http.sslCAPath
- Path containing files with the CA certificates to verify the peer with when
- fetching or pushing over HTTPS.
- Can be overridden by the GIT_SSL_CAPATH environment variable.
A few other useful SSL configuration options: 其他一些有用的SSL配置选项:
- http.sslCert
- File containing the SSL certificate when fetching or pushing over HTTPS.
- Can be overridden by the GIT_SSL_CERT environment variable.
-
- http.sslKey
- File containing the SSL private key when fetching or pushing over HTTPS.
- Can be overridden by the GIT_SSL_KEY environment variable.
-
- http.sslCertPasswordProtected
- Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
- prompt the user, possibly many times, if the certificate or private key is encrypted.
- Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.
#3楼
You can set GIT_SSL_NO_VERIFY to true : 您可以将GIT_SSL_NO_VERIFY设置为true :
GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git
or alternatively configure Git not to verify the connection on the command line: 或另选配置Git不在命令行上验证连接:
git -c http.sslVerify=false clone https://example.com/path/to/git
Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks . 请注意,如果您不验证SSL / TLS证书,则容易受到MitM攻击 。
#4楼
I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. 我不是现有答案的[编辑:原始版本]的忠实拥护者,因为禁用安全检查应该是不得已的方法,而不是第一个提供的解决方案。 Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. 即使没有某些其他验证方法也无法信任首次签收的自签名证书,但将证书用于后续git操作至少会大大降低仅在下载证书后才发生的攻击的难度。 In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. 换句话说,如果您下载的证书是真实的,那么从那时起您就可以了。 In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point . 相反,如果你简单地禁用验证,那么你敞开,以在任何时候任何中间人攻击的。
To give a specific example: the famous repo.or.cz repository provides a self-signed certificate . 举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书 。 I can download that file, place it somewhere like /etc/ssl/certs , and then do: 我可以下载该文件,将其放在/etc/ssl/certs ,然后执行以下操作:
- # Initial clone
- GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
- git clone https://repo.or.cz/org-mode.git
-
- # Ensure all future interactions with origin remote also work
- cd org-mode
- git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
Note that using local git config here (ie without --global ) means that this self-signed certificate is only trusted for this particular repository, which is nice. 请注意,在此处使用本地git config (即不使用--global )意味着仅该特定存储库信任此自签名证书,这很好。 It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised. 它比使用GIT_SSL_CAPATH更好,因为它消除了git通过不同的证书颁发机构进行验证的风险,这可能会受到威胁。
#5楼
I keep coming across this problem, so have written a script to download the self signed certificate from the server and install it to ~/.gitcerts, then update git-config to point to these certificates. 我一直遇到这个问题,因此编写了一个脚本来从服务器下载自签名证书并将其安装到〜/ .gitcerts,然后更新git-config指向这些证书。 It is stored in global config, so you only need to run it once per remote. 它存储在全局配置中,因此每个远程只需要运行一次。
https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh
#6楼
Git Self-Signed Certificate Configuration Git自签名证书配置
tl;dr tl; dr
NEVER disable all SSL verification! 切勿禁用所有SSL验证!
This creates a bad security culture. 这造成了不良的安全文化。 Don't be that person. 不要做那个人。
The config keys you are after are: 您需要的配置键是:
-
http.sslverify- Always true.http.sslverify始终为true。 See above note. 请参阅上面的注释。
These are for configuring host certificates you trust 这些用于配置您信任的主机证书
These are for configuring YOUR certificate to respond to SSL challenges. 这些用于配置您的证书以响应SSL挑战。
Selectively apply the above settings to specific hosts. 有选择地将上述设置应用于特定主机。
Global .gitconfig for Self-Signed Certificate Authorities 自签名证书颁发机构的全局.gitconfig
For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify . 就我自己和我的同事而言,这就是我们如何在不禁用sslVerify情况下使自签名证书起作用的sslVerify 。 Edit your .gitconfig to using git config --global -e add these: 编辑您的.gitconfig以使用git config --global -e添加以下内容:
- # Specify the scheme and host as a 'context' that only these settings apply
- # Must use Git v1.8.5+ for these contexts to work
- [credential "https://your.domain.com"]
- username = user.name
-
- # Uncomment the credential helper that applies to your platform
- # Windows
- # helper = manager
-
- # OSX
- # helper = osxkeychain
-
- # Linux (in-memory credential helper)
- # helper = cache
-
- # Linux (permanent storage credential helper)
- # https://askubuntu.com/a/776335/491772
-
- # Specify the scheme and host as a 'context' that only these settings apply
- # Must use Git v1.8.5+ for these contexts to work
- [http "https://your.domain.com"]
- ##################################
- # Self Signed Server Certificate #
- ##################################
-
- # MUST be PEM format
- # Some situations require both the CAPath AND CAInfo
- sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
- sslCAPath = /path/to/selfCA/
- sslVerify = true
-
- ###########################################
- # Private Key and Certificate information #
- ###########################################
-
- # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE,
- # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
- sslCert = /path/to/privatekey/myprivatecert.pem
-
- # Even if your PEM file is password protected, set this to false.
- # Setting this to true always asks for a password even if you don't have one.
- # When you do have a password, even with this set to false it will prompt anyhow.
- sslCertPasswordProtected = 0
References: 参考文献:
- Git Credentials Git凭证
- Git Credential Store Git凭证存储
- Using Gnome Keyring as credential store 使用Gnome密钥环作为凭据存储
- Git Config http.<url>.* Supported from Git v1.8.5 Git Config http。<URL>。*受Git v1.8.5支持
Specify config when git clone -ing git clone -ing时指定配置
If you need to apply it on a per repo basis, the documentation tells you to just run git config --local in your repo directory. 如果您需要在每个回购基础上应用它,文档会告诉您只需在回购目录中运行git config --local 。 Well that's not useful when you haven't got the repo cloned locally yet now is it? 那么,当您还没有在本地克隆存储库时,这没有用吗?
You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones... 您可以通过如上所述设置全局配置来执行global- global -> local hokey-pokey,然后在克隆后将这些设置复制到本地repo配置中。
OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned. 或者,您可以做的是在git clone中指定配置命令,该命令将在git clone到目标存储库后应用。
- # Declare variables to make clone command less verbose
- OUR_CA_PATH=/path/to/selfCA/
- OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
- MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
- SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"
-
- # With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
- git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
One Liner 一线
EDIT: See VonC 's answer that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner 编辑:请参阅VonC的答案 ,该警告指出了有关从2.14.x / 2.15到此衬垫的特定git版本的绝对和相对路径的警告
git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/
CentOS unable to load client key CentOS unable to load client key
If you are trying this on CentOS and your .pem file is giving you 如果您在CentOS上尝试此操作,并且.pem文件给您
unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"
Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL. 然后,您将需要此StackOverflow答案 ,以了解curl如何使用NSS而不是Open SSL。
And you'll like want to rebuild curl from source : 而且您想要从源代码重建curl :
- git clone http://github.com/curl/curl.git curl/
- cd curl/
- # Need these for ./buildconf
- yum install autoconf automake libtool m4 nroff perl -y
- #Need these for ./configure
- yum install openssl-devel openldap-devel libssh2-devel -y
-
- ./buildconf
- su # Switch to super user to install into /usr/bin/curl
- ./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
- make
- make install
restart computer since libcurl is still in memory as a shared library 重新启动计算机,因为libcurl仍作为共享库在内存中
Python, pip and conda Python,pip和conda
Related : How to add a custom CA Root certificate to the CA Store used by pip in Windows? 相关 : 如何将自定义CA Root证书添加到Windows中pip使用的CA Store?
