| 如何让git接受自签名证书? | 您所在的位置:网站首页 › 签名无法验证文档验证者的身份 › 如何让git接受自签名证书? |
|
Git自签名证书配置 tl;dr 从不禁用所有SSL验证! 这造成了一种糟糕的安全文化。不要成为那样的人。 您需要的配置键是: http.sslverify -总是正确的。请参阅上面的说明。它们用于配置您信任的主机证书 http.sslCAPath http.sslCAInfo这些配置用于配置证书以响应SSL质询。 http.sslCerthttp.sslCertPasswordProtected有选择地将上述设置应用于特定主机。 http..*自签名证书颁发机构的全局.gitconfig 为了我自己和我的同事们的利益,这里是我们如何在不禁用sslVerify的情况下获得自签名证书的。要使用git config --global -e的Edit your .gitconfig添加以下内容: # Specify the scheme and host as a 'context' that only these settings apply # Must use Git v1.8.5+ for these contexts to work [credential "https://your.domain.com"] username = user.name # Uncomment the credential helper that applies to your platform # Windows # helper = manager # OSX # helper = osxkeychain # Linux (in-memory credential helper) # helper = cache # Linux (permanent storage credential helper) # https://askubuntu.com/a/776335/491772 # Specify the scheme and host as a 'context' that only these settings apply # Must use Git v1.8.5+ for these contexts to work [http "https://your.domain.com"] ################################## # Self Signed Server Certificate # ################################## # MUST be PEM format # Some situations require both the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crt sslCAPath = /path/to/selfCA/ sslVerify = true ########################################### # Private Key and Certificate information # ########################################### # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it. sslCert = /path/to/privatekey/myprivatecert.pem # Even if your PEM file is password protected, set this to false. # Setting this to true always asks for a password even if you don't have one. # When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0参考文献: Git CredentialsGit Credential StoreUsing Gnome Keyring as credential storeGit Config http..* Supported from Git v1.8.5在git clone-ing时指定config 如果您需要在每个存储库的基础上应用它,文档会告诉您只需在您的存储库目录中运行git config --local。那么,当您还没有在本地克隆repo时,这是没有用的,不是吗? 您可以像上面那样设置全局配置,然后在本地存储库配置克隆后将这些设置复制到本地存储库配置中,从而完成global -> local设置。 或者,您可以做的是在克隆目标存储库后将其应用于目标存储库的specify config commands at git clone。 # Declare variables to make clone command less verbose OUR_CA_PATH=/path/to/selfCA/ OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0" # With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos. git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/一个班轮 编辑:参见VonC的answer,它指出了从2.14.x/2.15到下面这一行的特定git版本的绝对路径和相对路径的警告。 git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/CentOS unable to load client key 如果您在CentOS上尝试此操作,并且您的.pem文件为您提供了 unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"然后你会想知道curl是如何使用NSS而不是Open SSL的。 你会喜欢想要rebuild curl from source git clone http://github.com/curl/curl.git curl/ cd curl/ # Need these for ./buildconf yum install autoconf automake libtool m4 nroff perl -y #Need these for ./configure yum install openssl-devel openldap-devel libssh2-devel -y ./buildconf su # Switch to super user to install into /usr/bin/curl ./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/ make make install重新启动计算机,因为libcurl仍在内存中作为共享库 Python、pip和conda 相关:How to add a custom CA Root certificate to the CA Store used by pip in Windows? |
| CopyRight 2018-2019 实验室设备网 版权所有 |