[英]Adding self-signed SSL certificate without disabling authority-signed ones
I have a corporate git server working through https using self-signed certificate. 我有一个公司git服务器,使用自签名证书通过https工作。 The local clone contains two remotes — the origin pointing to that server, and another pointing to github. 本地克隆包含两个远程服务器,一个是指向该服务器的远程主机,另一个是指向github的远程主机。 By default pulling from the origin fails: 默认情况下,从原点提取失败:
$ git pull
fatal: unable to access 'https://user@code.example.com/git/fizzbuzz.git/': SSL certificate problem: self signed certificate
The github remote works fine. github远程工作正常。
There are two often-suggested solutions: 通常有两种建议的解决方案:
git config http.sslVerify false
which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote : 这是个坏主意,建议将Git配置为接受特定https远程服务器的特定自签名服务器证书 :
git config http.sslCAInfo <downloaded certificate>.pem
which fixes pulling from origin, but break the github remote: 修复了从原点拉出的问题,但破坏了github远程:
$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate
How to make pulling from the corporate server work without breaking pulling from github? 如何在不中断从github的情况下使从公司服务器中拉取工作?
If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!) . 如果您使用的是Git 1.8.5+(2013年8月),则可以为每个URL(!)指定http指令 。
In your case: 在您的情况下:
git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false
That would disable SSL verification only for code.example.com
, not for other URLs. 这将仅对code.example.com
而不对其他URL禁用SSL验证。
Or: 要么:
git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem
Same idea: sslCAInfo
would point to <downloaded certificate>.pem
only for code.example.com
URLs. 相同的想法: sslCAInfo
仅针对code.example.com
URL指向<downloaded certificate>.pem
。
It is possible to add your certificate in the Git system certificate store, which, with git-for-windows , would be in C:\\path\\to\\PortableGit-2.6.1-64-bit\\usr\\ssl\\certs\\ca-bundle.crt
. 可以在Git系统证书存储中添加证书,使用git-for-windows可以在C:\\path\\to\\PortableGit-2.6.1-64-bit\\usr\\ssl\\certs\\ca-bundle.crt
。
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it. 但是,这不是最佳实践,除非您必须分发包含内部证书的Git发行版。
As of v2.5.0 of Git for Windows (git-for-windows.github.io), the installed certificate file has moved to "C:\\Program Files (x86)\\Git\\mingw32\\ssl\\certs\\ca-bundle.crt". 从Windows的Git v2.5.0(git-for-windows.github.io)开始,已安装的证书文件已移至“ C:\\ Program Files(x86)\\ Git \\ mingw32 \\ ssl \\ certs \\ ca-bundle。 crt”。 You have to add your certs into this file. 您必须将证书添加到此文件中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.