Problem

When accessing a Git server (pushing or pulling new commits), we get an error:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Analysis

Apparently, the certificate of your Git server is not trusted.

This usually happens if the Git server is using a self-signed SSL certificate, a Let’s Encrypt certificate (which gets renewed every at least 3 months) or simply because the certificate is expired.

BEWARE: This error might also mean that the Git server’s certificate is forged!

Solution

There are basically 3 solutions to this issue:

  1. Turning off the SSL cert check – fast with a possible security risk
  2. Appending a certificate to the system wide trusted ones – requires a bit of effort but more proper
  3. Adding the certificate to the ~/.gitconfig

Solution 1

The first “fast & dirty” solution is simply to disable the SSL certificate check. There are two approaches to achieve this:

First: By setting the GIT_SSL_NO_VERIFY environment variable by executing the following command:

$ export GIT_SSL_NO_VERIFY=true

You can set this also in your shell startup script (i.e. ~/.bashrc in case of Bash).

Setting GIT_SSL_NO_VERIFY=true will apply to all repos you are using.

If you want to turn off SSL checks only for some repos you can prefix your command with GIT_SSL_NO_VERIFY=true, for example:

$ GIT_SSL_NO_VERIFY=true git remote add

Second: By setting the http.sslVerify config value of the repo to false, like this:

git config http.sslVerify "false"

This will disable  SSL certificate check for a specific repo only.

WARNING: Please note that by turning SSL checks off you are exposing yourself to a possible security risk. While your connection will be SSL encrypted, the SSL certificate might be forged.

You can also disable SSL checking for all repos:

git config --global http.sslVerify "false"

There is a -c switch which enables specific configuration parameter to be passed to git when cloning a repo:

git -c http.sslVerify=false clone example.com/path/to/git

If one wants to disable SSL checks for one specific git server hosting several repositories, one can run :

git config --bool --add http.https://example.com.sslverify false

This should add the setting to the user’s configuration.

Solution 2

Add the certificate to the list of trusted certificates. Follow this:



1. Retrieve the certificate

$ echo -n | openssl s_client -showcerts -connect YOUR_HOST:443

Replace YOUR_HOST with the hostname or IP of your Git server.

2. Copy the certificate between and including the following enclosing tags:

/-BEGIN CERTIFICATE-/ and  /-END CERTIFICATE-/

3. Append the certificate to the file:

/etc/ssl/certs/ca-certificates.crt

This file can have other locations too. Determine the location of the ca-certificates.crt file by running:

$ curl-config --ca

Or to automatize create a script shown below. Do not forget to replace YOUR_HOST with the hostname or IP of your Git server in the script.

#!/bin/sh
hostname=YOUR_HOST
port=443
trust_cert_file_location=`curl-config --ca`

sudo bash -c "echo -n | openssl s_client -showcerts -connect ${hostname}:${port} \
 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
 >> ${trust_cert_file_location}"

As a prerequisite you might need to install the libcurl4-openssl-dev package:

$ sudo apt-get install libcurl4-openssl-dev

Solution 3

One can add a certificate to trusted ones by adding the following into ~/.gitconfig :

[http]
sslCAInfo=/path/to/your/certificate/file.pem

where file.pem must contain a certificate either retrieved as described in Solution 2 or a self-signed one.

Or one can disable certificate verification by adding to ~/.gitconfig :

[http]
sslVerify = false

Of course ~ represents the user’s home directory.

Lastly one can disable SSL cert checks for a specific server:

[http]
sslVerify

[http "https://example.com"]
sslVerify = false

 

Resources

  1. server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: 
  2. Git remote and GIT_SSL_NO_VERIFY
  3. How do I set GIT_SSL_NO_VERIFY for specific repos only?
  4. config: “git config –get-urlmatch” parses section.<url>.key
  5. https://git-scm.com/docs/git-config#EXAMPLES

Error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Tagged on:                 

Leave a Reply

Your email address will not be published. Required fields are marked *