I can push by clone project using ssh, but it doesn't work when I clone project with https.
The error message that shows me is:
server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none
This question is related to
certificate
ssl-certificate
gitlab
I just encountered the very same problem with a git repository which always works for me. The problem was that I accessed it through public WiFi access, which redirects to a captive portal upon the first connection (for example to show ads and agree with tos).
Another cause of this problem might be that your clock might be off. Certificates are time sensitive.
To check the current system time:
date -R
You might consider installing NTP to automatically sync the system time with trusted internet timeservers from the global NTP pool. For example, to install on Debian/Ubuntu:
apt-get install ntp
I messed up with my CA files while I setup up goagent proxy. Can't pull data from github, and get the same warning:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
use Vonc's method, get the certificate from github, and put it into /etc/ssl/certs/ca-certificates.crt, problem solved.
echo -n | openssl s_client -showcerts -connect github.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Note: This has major security implications.
Open your terminal and run following command:
export GIT_SSL_NO_VERIFY=1
It works for me and I am using Linux system.
I installed Xubuntu on a Raspberry pi 2, found the same issue with time, as NTP and Automatic Server sync was off (or not installed) . Get NTP
sudo apt-get install ntp
and change the "Time and Date" from "Manual" to "Keep synchronized with Internet Servers"
Had same problem. Caused by self issued certificate authority. Solved it by adding .pem file to /usr/local/share/ca-certificates/ and calling
sudo update-ca-certificates
PS: pem file in folder ./share/ca-certificates MUST have extension .crt
there is no need to set git ssl verification to set to false. It is caused when the system does not have the all CA authority certificates. Mostly people who have genuine SSL certificate missing the intermediate certificate.
Just adding the complete text of intermediate certificate (whole chain of missing CA and intermediate certificate) to
sudo gedit /etc/ssl/certs/ca-certificates.crt
works without running the update-ca-certificates.
Same goes for manually generated certificates, just add the CA certificate text.
At the end : Push successful: Everything is up-to-date
Check your system clock,
$ date
If it's not correct the certificate check will fail. To correct the system clock,
$ apt-get install ntp
The clock should synchronise itself.
Finally enter the clone command again.
TLDR:
hostname=XXX
port=443
trust_cert_file_location=`curl-config --ca`
sudo bash -c "echo -n | openssl s_client -showcerts -connect $hostname:$port -servername $hostname \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
>> $trust_cert_file_location"
Long answer
The basic reason is that your computer doesn't trust the certificate authority that signed the certificate used on the Gitlab server. This doesn't mean the certificate is suspicious, but it could be self-signed or signed by an institution/company that isn't in the list of your OS's list of CAs. What you have to do to circumvent the problem on your computer is telling it to trust that certificate - if you don't have any reason to be suspicious about it.
You need to check the web certificate used for your gitLab server, and add it to your </git_installation_folder>/bin/curl-ca-bundle.crt.
To check if at least the clone works without checking said certificate, you can set:
export GIT_SSL_NO_VERIFY=1
#or
git config --global http.sslverify false
But that would be for testing only, as illustrated in "SSL works with browser, wget, and curl, but fails with git", or in this blog post.
Check your GitLab settings, a in issue 4272.
To get that certificate (that you would need to add to your curl-ca-bundle.crt file), type a:
echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpsGitlabPort \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
(with 'yourserver.com' being your GitLab server name, and YourHttpsGitlabPort is the https port, usually 443)
To check the CA (Certificate Authority issuer), type a:
echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpsGilabPort \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
| openssl x509 -noout -text | grep "CA Issuers" | head -1
Note: Valeriy Katkov suggests in the comments to add -servername option to the openssl command, otherwise the command isn't showed certificate for www.github.com in Valeriy's case.
openssl s_client -showcerts -servername www.github.com -connect www.github.com:443
Findekano adds in the comments:
to identify the location of
curl-ca-bundle.crt, you could use the command
curl-config --ca
Also, see my more recent answer "github: server certificate verification failed": you might have to renistall those certificates:
sudo apt-get install --reinstall ca-certificates
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
Have the certificate and bundle copied in one .crt file and make sure that there is a blank line between the certificates in the file.
This worked for me on a GitLab server after trying everything on the Internet.
What worked for me when trying to git clone inside of a Dockerfile was to fetch the SSL certificate and add it to the local certificate list:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Credits: https://fabianlee.org/2019/01/28/git-client-error-server-certificate-verification-failed/
The first thing you should check for is the file permission of /etc/ssl and /etc/ssl/certs.
I made the mistake of dropping file permissions (or blowing away the SSL rm -rf /etc/ssl/* directories) when using ssl-cert group name/ID while working on my Certificate Authority Management Tool.
It was then that I noticed the exact same error message for wget and curl CLI browser tools:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Once I brought the /etc/ssl and /etc/ssl/cert directories' file permission up to o+rx-w, those CLI browser tools started to breath a bit easier:
mkdir -p /etc/ssl/certs
chmod u+rwx,go+rx /etc/ssl /etc/ssl/certs
I also had to recreate Java subdirectory and reconstruct the Trusted CA certificate directories:
mkdir /etc/ssl/certs/java
chmod u+rwx,go+rx /etc/ssl/certs/java
update-ca-certificates
and the coast was clear.
What i did to solve this problem in the terminal(Ubuntu 18.04):
openssl s_client -showcerts -servername www.github.com -connect www.github.com:443
I got two chunks of certificate chunks. And i copied the certificate chunks to my certificate file to /etc/ssl/certs/ca-certificates.crt.
Eventually, add the http.sslverify to your .git/config.
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://server/user/project.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[http]
sslVerify = false
I faced the problem with my Jenkins. When I have renewed the certificate I started facing this error.
stderr fatal: unable to access server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
So I have added my new certificate in the following file:
/etc/ssl/certs/ca-certificates.crt
The content of that file looks like this:
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
Just append your certificate in the bottom:
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
If you are using a git server inside a private network and are using a self-signed certificate or a certificate over an IP address ; you may also simply use the git global config to disable the ssl checks:
git config --global http.sslverify "false"
Or simply run this comment to add the server Certificate to your database:
echo $(echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpGilabPort 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') >> /etc/ssl/certs/ca-certificates.crt
Then do git clone again.
Source: Stackoverflow.com