带有自签名证书，https的egit

Question

I would like to use a git repo that is accessigble through https, Https server has self signed certificate. I always get an error while trying to clone the repo with eclipse+egit:

https://host/path : cannot open git-upload-pack sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is it possible to bypass this problem? I used export GIT_SSL_NO_VERIFY=1 command to skip ssl verification with the console client. This trick doesn't work with eclipse.

Thanks,

Hubi

Answer 1

You can also just set eGit to ignore server verification. In Eclipse go to Window -> Preferences.

From there go to Team -> Git -> Configuration

Click "New Entry"

Key: http.sslVerify Value: false

Click "OK"

Click "OK"

For a more detailed approach to this check out my blog post here: http://www.pur-logic.com/2012/04/21/egit-self-signed-certificate/

Answer 2

您必须将该证书导入密钥库（JDK目录中的默认密钥库cacerts或使用参数-Djavax.net.ssl.trustStore指定一个证书）。

Answer 3

The FAQ of CAcert provides the commandline for keytool:

keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass1 -file root.crt

• Possibly, you have to omit -trustcacerts to import a normal certificate.
• -alias might also be unnecessary

Answer 4

I had some trouble with this too, but with a different story. The hostname for the Git repo didn't match the cert's hostname. Solution was to change the cert to match the hostname.

Answer 5

We should use http.sslCAInfo option for this use-case.
However, eclipse JGit development status for this option has been stuck for a very long time.

FYI

• Re: http.sslcainfo config option
• Change 3199 - Needs Code-Review
• Change 3200 - Needs Code-Review