[英]git error "unable to get local issuer certificate" with "User Trust" certificate
I do host a gitea server and access git via https. The certificate is not self-signed, but from a proper CA, User Trust ( https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html ).我确实托管了一个gitea服务器并通过https访问git。该证书不是自签名的,而是来自适当的CA,用户信任( https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority .html )。 I'm using the latest git client for windows (2.38.1, 64bit)
我正在为 windows(2.38.1,64 位)使用最新的 git 客户端
When i do a git pull
, the error unable to get local issuer certificate
is shown.当我执行
git pull
时,显示unable to get local issuer certificate
的错误。
I do understand that git by default uses openssl and the certificate list via the file ca-bundle.trust for validating certificates.我知道 git 默认使用 openssl 和通过文件ca-bundle.trust的证书列表来验证证书。
The strange thing is that git actually contains the root certificate, but it's not exactly the same.奇怪的是,git其实包含了根证书,但并不完全一样。 The certificate which is part of the ca-bundle.trust file has some additional content (Marked in green)
作为 ca-bundle.trust 文件一部分的证书有一些额外的内容(标记为绿色)
When i compare the properties of the two certificates, i don't see any difference, but i assume this is the reason why git does reject the certificate.当我比较这两个证书的属性时,我没有看到任何区别,但我认为这就是 git 拒绝证书的原因。
Certificates in case someone wants to have a look at it:证书,以防有人想查看它:
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN TRUSTED CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9MD0wFAYIKwYBBQUHAwQGCCsGAQUFBwMBDCVVU0VS
VHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
-----END TRUSTED CERTIFICATE-----
As mentioned in a comment by user "qwerty 1999", the command git config --global http.sslbackend schannel
can be used to force git to use the windows certificate store which solves my problem since the "User Trust" root certificate is part of the certificate store by default.正如用户“qwerty 1999”的评论中提到的,命令
git config --global http.sslbackend schannel
可用于强制 git 使用 windows 证书存储,这解决了我的问题,因为“用户信任”根证书是默认情况下证书存储。 I still don't understand why git doesn't use the root certificate provided by "User Trust CA".我还是不明白为什么git不使用“User Trust CA”提供的根证书。 This would avoid having to apply this workaround.
这将避免必须应用此解决方法。
I opened these certs with git's builtin openssl (enter this in git command line):我用 git 的内置 openssl 打开了这些证书(在 git 命令行中输入):
openssl x509 -inform pem -noout -text -in '1.cer' > first_cert.txt
openssl x509 -inform pem -noout -text -in '2.cer' > second_cert.txt
Then compared those outputs and got this: compared files So, basically that are use cases.然后比较这些输出并得到这个:比较文件所以,基本上是用例。
What about making it work I think here is the answer Looks similar to your problem.让它工作怎么样我认为这就是答案看起来与您的问题相似。 If not working try this (In short it says that you should add your certs at the end of ca-bundle.cert)
如果不起作用试试这个(简而言之,它说你应该在 ca-bundle.cert 的末尾添加你的证书)
I'd like to understand why the ca-bundle.cert doesn't contain the same root certificate as provided by the actual CA
我想了解为什么 ca-bundle.cert 不包含与实际 CA 提供的相同的根证书
Because your server could not use the original certificate to sign a key without first adding a Trust use extension.因为如果不首先添加信任使用扩展,您的服务器将无法使用原始证书对密钥进行签名。
Asdocumented in x509 :如x509 中所述:
A trusted certificate is an ordinary certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and an "alias".
可信证书是一种普通证书,它附加了一些附加信息,例如证书的允许和禁止使用以及“别名”。
(That is the extra bit you see in your certificate) (这是您在证书中看到的额外部分)
Normally when a certificate is being verified at least one certificate must be "trusted".
通常,在验证证书时,至少必须“信任”一个证书。
By default a trusted certificate must be stored locally and must be a root CA: any certificate chain ending in this CA is then usable for any purpose.默认情况下,受信任的证书必须存储在本地并且必须是根 CA:以该 CA 结尾的任何证书链都可用于任何目的。
Trust settings currently are only used with a root CA.
信任设置当前仅用于根 CA。
They allow a finer control over the purposes the root CA can be used for.它们允许更好地控制根 CA 的用途。
For example a CA may be trusted for SSL client but not SSL server use.例如,对于 SSL 客户端,CA 可能是可信的,但对于 SSL 服务器使用则不可信。
Using a git config --global http."https://your.domain.com/".sslCAInfo <your_certificate>.pem
is the right way to instruct Git to use that trusted certificate.使用
git config --global http."https://your.domain.com/".sslCAInfo <your_certificate>.pem
是指示 Git 使用该可信证书的正确方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.