How can I make git accept a self signed certificate

Question

Using Git  is there a way to tell it to accept a self signed certificate   I am using an https server to host a git server but for now the certificate is self signed   When I try to create the repo there for the first time   git push origin master -f   I get the error   error  Cannot access URL      https   the server git aspx PocketReferences   return code 22  fatal  git-http-push failed

User · Answer

In the  gitconfig file you can add the below given value to make the self signed cert acceptable  sslCAInfo    home XXXX abc crt

User · Answer

To disable SSL verification for a specific repository If the repository is completely under your control  you can try    git config --global http sslVerify false

User · Answer

You can set GIT SSL NO VERIFY to true   GIT SSL NO VERIFY true git clone https   example com path to git   or alternatively configure Git not to verify the connection on the command line   git -c http sslVerify false clone https   example com path to git   Note that if you don t verify SSL TLS certificates  then you are susceptible to MitM attacks

User · Answer

To permanently accept a specific certificate  Try http sslCAPath or http sslCAInfo  Adam Spiers s answer gives some great examples  This is the most secure solution to the question   To disable TLS SSL verification for a single git command  try passing -c to git with the proper config variable  or use Flow s answer   git -c http sslVerify false clone https   example com path to git   To disable SSL verification for a specific repository  If the repository is completely under your control  you can try   git config --global http sslVerify false     There are quite a few  SSL configuration options in git  From the man page of git config   http sslVerify     Whether to verify the SSL certificate when fetching or pushing over HTTPS      Can be overridden by the GIT SSL NO VERIFY environment variable   http sslCAInfo     File containing the certificates to verify the peer with when fetching or pushing     over HTTPS  Can be overridden by the GIT SSL CAINFO environment variable   http sslCAPath     Path containing files with the CA certificates to verify the peer with when     fetching or pushing over HTTPS      Can be overridden by the GIT SSL CAPATH environment variable    A few other useful SSL configuration options   http sslCert     File containing the SSL certificate when fetching or pushing over HTTPS      Can be overridden by the GIT SSL CERT environment variable   http sslKey     File containing the SSL private key when fetching or pushing over HTTPS      Can be overridden by the GIT SSL KEY environment variable   http sslCertPasswordProtected     Enable git s password prompt for the SSL certificate  Otherwise OpenSSL will     prompt the user  possibly many times  if the certificate or private key is encrypted      Can be overridden by the GIT SSL CERT PASSWORD PROTECTED environment variable

User · Answer

Check your antivirus and firewall settings   From one day to the other  git did not work anymore  With what is described above  I found that Kaspersky puts a self-signed Anti-virus personal root certificate in the middle  I did not manage to let Git accept that certificate following the instructions above  I gave up on that  What works for me is to disable the feature to Scan encrypted connections    Open Kaspersky Settings   Additional   Network   Do not scan encrypted connections   After this  git works again with sslVerify enabled   Note  This is still not satisfying for me  because I would like to have that feature of my Anti-Virus active  In the advanced settings  Kaspersky shows a list of websites that will not work with that feature  Github is not listed as one of them  I will check it at the Kaspersky forum  There seem to be some topics  e g   https   forum kaspersky com index php  topic 395220-kis-interfering-with-git  amp tab comments comment-2801211

User · Answer

Git Self-Signed Certificate Configuration  tl dr     NEVER disable all SSL verification       This creates a bad security culture  Don t be that person    The config keys you are after are    http sslverify - Always true  See above note    These are for configuring host certificates you trust   http sslCAPath  http sslCAInfo    These are for configuring YOUR certificate to respond to SSL challenges    http sslCert http sslCertPasswordProtected   Selectively apply the above settings to specific hosts    http  lt url gt      Global  gitconfig for Self-Signed Certificate Authorities  For my own and my colleagues  sake here is how we managed to get self signed certificates to work without disabling sslVerify  Edit your  gitconfig to using git config --global -e add these      Specify the scheme and host as a  context  that only these settings apply   Must use Git v1 8 5  for these contexts to work  credential  https   your domain com     username   user name      Uncomment the credential helper that applies to your platform     Windows     helper   manager      OSX     helper   osxkeychain      Linux  in-memory credential helper      helper   cache      Linux  permanent storage credential helper      https   askubuntu com a 776335 491772    Specify the scheme and host as a  context  that only these settings apply    Must use Git v1 8 5  for these contexts to work  http  https   your domain com                                            Self Signed Server Certificate                                             MUST be PEM format     Some situations require both the CAPath AND CAInfo    sslCAInfo    path to selfCA self-signed-certificate crt   sslCAPath    path to selfCA    sslVerify   true                                                    Private Key and Certificate information                                                      Must be PEM format and include BEGIN CERTIFICATE   END CERTIFICATE       not just the BEGIN PRIVATE KEY   END PRIVATE KEY for Git to recognise it    sslCert    path to privatekey myprivatecert pem      Even if your PEM file is password protected  set this to false      Setting this to true always asks for a password even if you don t have one      When you do have a password  even with this set to false it will prompt anyhow     sslCertPasswordProtected   0   References    Git Credentials Git Credential Store Using Gnome Keyring as credential store Git Config http  lt url gt    Supported from Git v1 8 5   Specify config when git clone-ing  If you need to apply it on a per repo basis  the documentation tells you to just run git config --local in your repo directory  Well that s not useful when you haven t got the repo cloned locally yet now is it   You can do the global - gt  local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones      OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned     Declare variables to make clone command less verbose      OUR CA PATH  path to selfCA  OUR CA FILE  OUR CA PATH self-signed-certificate crt MY PEM FILE  path to privatekey myprivatecert pem SELF SIGN CONFIG  -c http sslCAPath  OUR CA PATH -c http sslCAInfo  OUR CA FILE -c http sslVerify 1 -c http sslCert  MY PEM FILE -c http sslCertPasswordProtected 0     With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos  git clone  SELF SIGN CONFIG https   mygit server com projects myproject git myproject    One Liner  EDIT  See VonC s answer that points out a caveat about absolute and relative paths for specific git versions from 2 14 x 2 15 to this one liner  git clone -c http sslCAPath   path to selfCA  -c http sslCAInfo   path to selfCA self-signed-certificate crt  -c http sslVerify 1 -c http sslCert   path to privatekey myprivatecert pem  -c http sslCertPasswordProtected 0 https   mygit server com projects myproject git myproject    CentOS unable to load client key  If you are trying this on CentOS and your  pem file is giving you   unable to load client key   -8178  SEC ERROR BAD KEY     Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL   And you ll like want to rebuild curl from source   git clone http   github com curl curl git curl  cd curl    Need these for   buildconf yum install autoconf automake libtool m4 nroff perl -y  Need these for   configure yum install openssl-devel openldap-devel libssh2-devel -y    buildconf su   Switch to super user to install into  usr bin curl   configure --with-openssl --with-ldap --with-libssh2 --prefix  usr  make make install   restart computer since libcurl is still in memory as a shared library  Python  pip and conda  Related  How to add a custom CA Root certificate to the CA Store used by pip in Windows

User · Answer

On Windows this worked for me    Add the content of your self signed certificate to the end of the ca-bundle file  Including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines  The location of the ca-bundle file is usually C  Program Files Git mingw64 ssl certs  Afterwards  add the path of the ca-bundle file to the global git config  The following command does the trick  git config --global http sslCAInfo  C  Program Files Git mingw64 ssl certs ca-bundle crt   Remark  The Path depends on your local path of the ca-bundle file

User · Answer

I keep coming across this problem  so have written a script to download the self signed certificate from the server and install it to    gitcerts  then update git-config to point to these certificates   It is stored in global config  so you only need to run it once per remote   https   github com iwonbigbro tools blob master bin git-remote-install-cert sh

User · Answer

I m not a huge fan of the  EDIT  original versions of the  existing answers  because disabling security checks should be a last resort  not the first solution offered   Even though you cannot trust self-signed certificates on first receipt without some additional method of verification  using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate   In other words  if the certificate you downloaded is genuine  then you re good from that point onwards   In contrast  if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point   To give a specific example  the famous repo or cz repository provides a self-signed certificate   I can download that file  place it somewhere like  etc ssl certs  and then do     Initial clone GIT SSL CAINFO  etc ssl certs rorcz root cert pem       git clone https   repo or cz org-mode git    Ensure all future interactions with origin remote also work cd org-mode git config http sslCAInfo  etc ssl certs rorcz root cert pem   Note that using local git config here  i e  without --global  means that this self-signed certificate is only trusted for this particular repository  which is nice   It s also nicer than using GIT SSL CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised

User · Answer

My answer may be late but it worked for me  It may help somebody   I tried above mentioned steps and that didn t solved the issue   try thisgit config --global http sslVerify false

User · Answer

Be careful when you are using one liner using sslKey or sslCert  as in Josh Peak s answer   git clone -c http sslCAPath   path to selfCA      -c http sslCAInfo   path to selfCA self-signed-certificate crt      -c http sslVerify 1     -c http sslCert   path to privatekey myprivatecert pem      -c http sslCertPasswordProtected 0   https   mygit server com projects myproject git myproject   Only Git 2 14 x 2 15  Q3 2015  would be able to interpret a path like  username mykey correctly  while it still can interpret an absolute path like  path to privatekey    See commit 8d15496  20 Jul 2017  by Junio C Hamano  gitster   Helped-by  Charles Bailey  hashpling    Merged by Junio C Hamano -- gitster -- in commit 17b1e1d  11 Aug 2017        http c  http sslcert and http sslkey are both pathnames      Back when the modern http options   codepath was created to parse   various http   options at 29508e1   Isolate shared HTTP request   functionality   2005-11-18  Git 0 99 9k   and then later was corrected for   interation between the multiple configuration files in 7059cd9     http init    Fix config file parsing   2009-03-09  Git 1 6 3-rc0   we parsed   configuration variables like http sslkey  http sslcert as plain   vanilla strings  because git config pathname   that understands      username    prefix did not exist         Later  we converted some of them  namely  http sslCAPath and http sslCAInfo  to use the function  and added variables like http cookeyFile http pinnedpubkey to use the function from the beginning   Because of that  these variables all understand    username    prefix       Make the remaining two variables  http sslcert and http sslkey  also   aware of the convention  as they are both clearly pathnames to   files

User · Answer

It works for me just run following command git config --global http sslVerify false  it will open a git credentials window give your credentials   for first time only it ask

User · Answer

I do it like this   git init git config --global http sslVerify false git clone https   myurl myrepo git

User · Answer

Using 64bit version of Git on Windows  just add the self signed CA certificate into these files     C  Program Files Git mingw64 ssl certs ca-bundle crt  C  Program Files Git mingw64 ssl certs ca-bundle trust crt   If it is just a server self signed certificate add it into   C  Program Files Git mingw64 ssl cert pem

User · Answer

It   s not a good practice to set http sslVerify false   Instead we can use SSL certificate   So  build agent will use https with SSL certificate and PAT for authentication          Copy the content of cer file including    begin   and    end--   git bash on build agent     git config    global http sslcainfo    C  Program Files Git mingw64 ssl certs ca-bundle crt    Go to this file and append the  cer content   Thus  build agent can access the SSL certificate

User · Answer

This answer is excerpted from this article authored by Michael Kauffman   Use Git for Windows with a corporate SSL certificate  Issue    If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error   fatal  unable to access    https   myserver tfs DefaultCollection  git Proj      SSL certificate problem  unable to get local issuer certificate  Solution    Export the root self-signed Certificate to a file  You can do this from within your browser  Locate the    ca-bundle crt    file in your git folder  current version C  Program Files Git usr ssl certs but is has changed in the past   Copy the file to your user profile  Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file    Now we have to configure git to use the new file   git config --global http sslCAInfo C  Users  lt yourname gt  ca-bundle crt  This will add the following entry to your  gitconfig file in the root of your user profile    http      sslCAInfo   C  Users  lt yourname gt  ca-bundle crt

User · Answer

I use a windows machine and this article helped me  Basically I opened ca-bundle crt in notepad and added chain certificates in it  all of them   This issue usually happens for company networks where we have middle men sitting between system and git repo  We need to export all of the certs in cert chain except leaf cert in base 64 format and add all of them to ca-bundle crt and then configure git for this modified crt file

[git] How can I make git accept a self signed certificate?

Examples related to git

Examples related to version-control

Examples related to https

Examples related to self-signed