Git自签名证书配置
tl; dr
切勿禁用所有SSL验证!
这造成了不良的安全文化。不要做那个人。
您需要的配置键是:
这些用于配置您信任的主机证书
这些用于配置您的证书以响应SSL挑战。
将上述设置有选择地应用于特定主机。
全球.gitconfig
自签名证书颁发机构
就我自己和我的同事而言,这就是我们如何在不禁用的情况下设法使自签名证书起作用sslVerify
。编辑您.gitconfig
的使用git config --global -e
添加以下内容:
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
username = user.name
# Uncomment the credential helper that applies to your platform
# Windows
# helper = manager
# OSX
# helper = osxkeychain
# Linux (in-memory credential helper)
# helper = cache
# Linux (permanent storage credential helper)
# https://askubuntu.com/a/776335/491772
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
##################################
# Self Signed Server Certificate #
##################################
# MUST be PEM format
# Some situations require both the CAPath AND CAInfo
sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
sslCAPath = /path/to/selfCA/
sslVerify = true
###########################################
# Private Key and Certificate information #
###########################################
# Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE,
# not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
sslCert = /path/to/privatekey/myprivatecert.pem
# Even if your PEM file is password protected, set this to false.
# Setting this to true always asks for a password even if you don't have one.
# When you do have a password, even with this set to false it will prompt anyhow.
sslCertPasswordProtected = 0
参考文献:
git clone
-ing 时指定配置
如果您需要在每个存储库中应用它,则文档会告诉您仅git config --local
在您的存储库目录中运行。那么,当您尚未在本地克隆回购协议时,这没有用吗?
您可以global -> local
通过如上所述设置全局配置来执行hokey-pokey,然后在克隆后将这些设置复制到本地存储库配置中...
或者,您可以做的是在git clone
克隆后将指定的配置命令应用于目标存储库。
# Declare variables to make clone command less verbose
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"
# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
一线
编辑:请参阅VonC的答案,该警告指出了有关从2.14.x / 2.15到此衬板的特定git版本的绝对和相对路径的警告
git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/
CentOS的 unable to load client key
如果您在CentOS上尝试此操作,并且.pem
文件正在为您提供
unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"
然后,您将需要有关如何使用NSS而不是Open SSL的StackOverflow答案curl
。
而且您想从源代码重建curl
:
git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y
./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install
因为libcurl仍作为共享库在内存中,所以重新启动计算机
Python,pip和conda
相关:如何将自定义CA Root证书添加到Windows中pip使用的CA Store?