How can I make git accept a self signed certificate?
To permanently accept a specific certificate
Try http.sslCAPath or http.sslCAInfo. Adam Spiers's answer gives some great examples. This is the most secure solution to the question.
To disable TLS/SSL verification for a single git command
try passing -c to git with the proper config variable, or use Flow's answer:
git -c http.sslVerify=false clone https://example.com/path/to/git
To disable SSL verification for all repositories
It is possible to globally deactivate ssl verification. It is highly recommended to NOT do this but it is mentioned for completeness:
git config --global http.sslVerify false # Do NOT do this!
There are quite a few SSL configuration options in git. From the man page of git config:
http.sslVerify
Whether to verify the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_NO_VERIFY environment variable.
http.sslCAInfo
File containing the certificates to verify the peer with when fetching or pushing
over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.
http.sslCAPath
Path containing files with the CA certificates to verify the peer with when
fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CAPATH environment variable.
A few other useful SSL configuration options:
http.sslCert
File containing the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CERT environment variable.
http.sslKey
File containing the SSL private key when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_KEY environment variable.
http.sslCertPasswordProtected
Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
prompt the user, possibly many times, if the certificate or private key is encrypted.
Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.
I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.
To give a specific example: the famous repo.or.cz repository provides a self-signed certificate. I can download that file, place it somewhere like /etc/ssl/certs, and then do:
# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/org-mode.git
# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
Note that using local git config here (i.e. without --global) means that this self-signed certificate is only trusted for this particular repository, which is nice. It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised.
Git Self-Signed Certificate Configuration
tl;dr
NEVER disable all SSL verification!
This creates a bad security culture. Don't be that person.
The config keys you are after are:
http.sslverify- Always true. See above note.
These are for configuring host certificates you trust
http.sslCAPathhttp.sslCAInfo
These are for configuring YOUR certificate to respond to SSL challenges.
http.sslCerthttp.sslCertPasswordProtected
Selectively apply the above settings to specific hosts.
http.<url>.*
Global .gitconfig for Self-Signed Certificate Authorities
For my own and my colleagues' sake here is how we managed to get self signed certificates to work without disabling sslVerify. Edit your .gitconfig to using git config --global -e add these:
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
username = user.name
# Uncomment the credential helper that applies to your platform
# Windows
# helper = manager
# OSX
# helper = osxkeychain
# Linux (in-memory credential helper)
# helper = cache
# Linux (permanent storage credential helper)
# https://askubuntu.com/a/776335/491772
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
##################################
# Self Signed Server Certificate #
##################################
# MUST be PEM format
# Some situations require both the CAPath AND CAInfo
sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
sslCAPath = /path/to/selfCA/
sslVerify = true
###########################################
# Private Key and Certificate information #
###########################################
# Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE,
# not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
sslCert = /path/to/privatekey/myprivatecert.pem
# Even if your PEM file is password protected, set this to false.
# Setting this to true always asks for a password even if you don't have one.
# When you do have a password, even with this set to false it will prompt anyhow.
sslCertPasswordProtected = 0
References:
- Git Credentials
- Git Credential Store
- Using Gnome Keyring as credential store
- Git Config http.<url>.* Supported from Git v1.8.5
Specify config when git clone-ing
If you need to apply it on a per repo basis, the documentation tells you to just run git config --local in your repo directory. Well that's not useful when you haven't got the repo cloned locally yet now is it?
You can do the global -> local hokey-pokey by setting your global config as above and then copy those settings to your local repo config once it clones...
OR what you can do is specify config commands at git clone that get applied to the target repo once it is cloned.
# Declare variables to make clone command less verbose
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"
# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
One Liner
EDIT: See VonC's answer that points out a caveat about absolute and relative paths for specific git versions from 2.14.x/2.15 to this one liner
git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/
CentOS unable to load client key
If you are trying this on CentOS and your .pem file is giving you
unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"
Then you will want this StackOverflow answer about how curl uses NSS instead of Open SSL.
And you'll like want to rebuild curl from source:
git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y
./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install
restart computer since libcurl is still in memory as a shared library
Python, pip and conda
Related: How to add a custom CA Root certificate to the CA Store used by pip in Windows?
You can set GIT_SSL_NO_VERIFY to true:
GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git
or alternatively configure Git not to verify the connection on the command line:
git -c http.sslVerify=false clone https://example.com/path/to/git
Note that if you don't verify SSL/TLS certificates, then you are susceptible to MitM attacks.