configure Git to accept a particular self-signed server certificate for a particular https remote

Question

The sysadmin for a project I m on has decided that SSH is  too much trouble   instead  he has set up Git to be accessible via an https    URL  and username password authentication   The server for this URL presents a self-signed certificate  so he advised everyone to turn off certificate validation  This does not strike me as a good setup  security-wise   Is it possible to tell Git that for remote X  or better  any remote in any repository that happens to begin with https    SERVERNAME   it is to accept a particular certificate  and only that certificate   Basically reduplicate SSH s server-key behavior

User · Answer

On windows in a corporate environment where certificates are distributed from a single source  I found this answer solved the issue  https   stackoverflow com a 48212753 761755

User · Answer

Briefly    Get the self signed certificate Put it into some  e g    git-certs cert pem  file Set git to trust this certificate using http sslCAInfo parameter   In more details   Get self signed certificate of remote server  Assuming  the server URL is repos sample com and you want to access it over port 443   There are multiple options  how to get it   Get certificate using openssl    openssl s client -connect repos sample com 443   Catch the output into a file cert pem and delete all but part between  and including  -BEGIN CERTIFICATE- and -END CERTIFICATE-  Content of resulting file   git-certs cert pem may look like this   -----BEGIN CERTIFICATE----- MIIDnzCCAocCBE xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw EwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCVdvbGZzYnVyZzEYMBYGA1UE ChMPU2FhUy1TZWN1cmUuY29tMRowGAYDVQQDFBEqLnNhYXMtc2VjdXJlLmNvbTEj MCEGCSqGSIb3DQEJARYUaW5mb0BzYWFzLXNlY3VyZS5jb20wHhcNMTIwNzAyMTMw OTA0WhcNMTMwNzAyMTMwOTA0WjCBkzELMAkGA1UEBhMCREUxFTATBgNVBAgTDExv d2VyIFNheG9ueTESMBAGA1UEBxMJV29sZnNidXJnMRgwFgYDVQQKEw9TYWFTLVNl Y3VyZS5jb20xGjAYBgNVBAMUESouc2Fhcy1zZWN1cmUuY29tMSMwIQYJKoZIhvcN AQkBFhRpbmZvQHNhYXMtc2VjdXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMUZ472W3EVFYGSHTgFV0LR2YVE1U  sZimhCKGFBhH3ZfGwqtu7 mzOhlCQef9nqGxgH U5DG43B6MxDzhoP7R8e1GLbNH3xVqMHqEdcek8jtiJvfj2a pRSkFTCVJ9i0GYFOQfQYV6RJ4vAunQioiw07OmsxL6C5l3K r qJTlStpPK5dv4z Sy jmAcQMaIcWv8wgBAxdzo8UVwIL63gLlBz7WfSB2Ti5XBbse 83wyNa5bPJPf1 U 7uLSofz dehHtgtKfHD8XpPoQBt0Y9ExbLN1ysdR9XfsNfBI5K6Uokq tVDxNi SHM4 7uKNo 4b7OP24hvCeXW8oRyRzpyDxMCAwEAATANBgkqhkiG9w0BAQUFAAOC AQEAp7S E1ZGCey5Oyn3qwP4q geQqOhRtaPqdH6ABnqUYHcGYB77GcStQxnqnOZ MJwIaIZqlz 59taB6U2lG30u3cZ1FITuz fWXdfELKPWPjDoHkwumkz3zcCVrrtI ktRzk7AeazHcLEwkUjB5Rm75N9 dOo6Ay89JCcPKb tNqOszY10y6U3kX3uiSzrJ ejSq tRyvMFT1FlJ8tKoZBWbkThevMhx7jk5qsoCpLPmPoYCEoLEtpMYiQnDZgUc TNoL1GjoDrjgmSen4QN5QZEGTOe dsv1sGxWC Tv VwUl2GqVtKPZdKtGFqI8TLn  27 jIdVQIKvHok2P u9tvTUQA   -----END CERTIFICATE-----   Get certificate using your web browser  I use Redmine with Git repositories and I access the same URL for web UI and for git command line access  This way  I had to add exception for that domain into my web browser   Using Firefox  I went to Options - gt  Advanced - gt  Certificates - gt  View Certificates - gt  Servers  found there the selfsigned host  selected it and using Export button I got exactly the same file  as created using openssl   Note  I was a bit surprised  there is no name of the authority visibly mentioned  This is fine   Having the trusted certificate in dedicated file  Previous steps shall result in having the certificate in some file  It does not matter  what file it is as long as it is visible to your git when accessing that domain  I used   git-certs cert pem  Note  If you need more trusted selfsigned certificates  put them into the same file   -----BEGIN CERTIFICATE----- MIIDnzCCAocCBE xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw              27 jIdVQIKvHok2P u9tvTUQA   -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw              27 jIdVQIKvHok2P u9tvTUQA   -----END CERTIFICATE-----   This shall work  but I tested it only with single certificate    Configure git to trust this certificate    git config --global http sslCAInfo  home javl git-certs cert pem   You may also try to do that system wide  using --system instead of --global   And test it  You shall now be able communicating with your server without resorting to     git config --global http sslVerify false  NO NEED TO USE THIS   If you already set your git to ignorance of ssl certificates  unset it     git config --global --unset http sslVerify   and you may also check  that you did it all correctly  without spelling errors     git config --global --list   what should list all variables  you have set globally   I mispelled http to htt

User · Answer

OSX User adjustments   Following the steps of the Accepted answer worked for me with a small addition when configuring on OSX   I put the cert pem file in a directory under my OSX logged in user and thus caused me to adjust the location for the trusted certificate   Configure git to trust this certificate     git config --global http sslCAInfo  HOME git-certs cert pem

[git] configure Git to accept a particular self-signed server certificate for a particular https remote

The answer is

Examples related to git

Examples related to ssl-certificate

Tags