Git clone from gitlab fails on linux, while working in Windows git bash
[英]Git clone from gitlab fails on linux, while working in Windows git bash
问题描述
I'm new to Linux, just installed Lubuntu and faced the problem - when i'm trying to clone my remote work repo from my company's git:
我是 Linux 的新手,刚刚安装了 Lubuntu 并遇到了问题 - 当我试图从我公司的 git 克隆我的远程工作存储库时:
$ sudo git clone https://path/to/repo.git
I keep on receiving error:我不断收到错误:
Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none
I know it's mentioning certificates, but i do not have any.我知道它提到了证书,但我没有任何证书。 And before, i worked on windows and was able to simply git clone this repo without any certs.在此之前,我在 windows 上工作,并且能够在没有任何证书的情况下简单地克隆 git 这个 repo。
2 个解决方案
解决方案1
8 2021-05-22 07:25:48
This error means that the git client cannot verify the integrity of the certificate chain or root.此错误表示 git 客户端无法验证证书链或根的完整性。 The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.解决此问题的正确方法是确保来自远程存储库的证书有效,然后将其添加到客户端系统。
Update list of public CA更新公共 CA 列表
The first thing I would recommend is to simply update the list of root CA known to the system as show below.我建议的第一件事是简单地更新系统已知的根 CA 列表,如下所示。
# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates
This may help if you are dealing with a system that has not been updated for a long time, but of course won't resolve an issue with private certs.如果您正在处理长时间未更新的系统,这可能会有所帮助,但当然不会解决私有证书的问题。
Fetch certificates, direct connection获取证书,直接连接
The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates.如果您将来自远程 git 服务器的证书添加到本地检查的证书列表中,来自 git 客户端的错误将得到解决。 This can be done by using openssl to pull the certificates from the remote host:这可以通过使用 openssl 从远程主机提取证书来完成:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.这将获取“https://git.mycompany.com”使用的证书,并将内容复制到名为“git-mycompany-com.pem”的本地文件中。
Fetch certificates, web proxy获取证书,web 代理
If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.但是,如果您使用的是旧版本的 OpenSSL,那么您需要使用诸如 socat 之类的东西在本地绑定到端口 4443,并通过 squid 代理流量并到达最终目的地来解决此限制。
# install socat
sudo apt-get install socat -y
# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.然后在另一个控制台中,告诉 OpenSSL 从 localhost 的 4443 端口拉取证书。
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
Add certificate to local certificate list将证书添加到本地证书列表
Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”.无论是通过代理还是直接连接,您现在都可以在名为“git-mycompany-com.pem”的文件中获得远程证书列表。 This file will contain the certificate, its intermediate chain, and root CA certificate.此文件将包含证书、其中间链和根 CA 证书。 The next step is to have this considered by the git client when connecting to the git server.下一步是让 git 客户端在连接到 git 服务器时考虑这一点。 This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users' git configuration.这可以通过将证书添加到原始错误中提到的文件来完成,在这种情况下,对所有用户进行全局更改,或者可以将其添加到单个用户的 git 配置中。
** Adding globally ** ** 全局添加 **
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
** Adding for single user ** **为单个用户添加**
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig它默默地将以下几行添加到 ~/.gitconfig
[http "https://git.mycompany.com/"]
sslCAInfo = /home/user/git-mycompany-com.pem
Avoid workarounds避免变通方法
Avoid workarounds that skip SSL certification validation.避免跳过 SSL 认证验证的解决方法。 Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.仅使用它们来快速测试证书是否是根本问题,然后使用上面的部分来解决问题。
git config --global http.sslverify false
export GIT_SSL_NO_VERIFY=true
解决方案2
0 2022-07-08 06:44:09
I know there is an answer already.我知道已经有答案了。 Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated.仅对于那些使用私有网络(例如 Zscaler 左右)的人来说,如果您的 rootcert 需要更新,则可能会出现此错误。 Here a solution on how this update can be achieve if using WSL on a Windows machine:如果在 Windows 机器上使用 WSL,这里有一个关于如何实现此更新的解决方案:
#!/usr/bin/bash
# I exported the Zscaler certifcate out of Microsoft Cert Manager. It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.
# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt
# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates
# Inform Ubuntu of new cert.
sudo update-ca-certificates
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.