Problem

When accessing a Git server (pushing or pulling new commits), we get an error:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Analysis

Apparently, the certificate of your Git server is not trusted.

This can happen if the Git server uses for example a Let’s Encrypt certificate which gets renewed every at least 3 months.

Solution

There are basically 2 solutions to this issue. One fast with a possible security risk and second which requires a bit of effort but is more proper.

Solution 1

The first “fast & dirty” solution is simply to disable the SSL certificate check. There are two approaches to achieve this:

First: By setting the GIT_SSL_NO_VERIFY environment variable by executing the following command:

$ export GIT_SSL_NO_VERIFY=true

You can set this also in your shell startup script (i.e. ~/.bashrc in case of Bash).

Beware: Setting GIT_SSL_NO_VERIFY=true will apply to all repos you are using.

If you want to turn off SSL checks only for some repos you can prefix your command with GIT_SSL_NO_VERIFY=true, for example:

$ GIT_SSL_NO_VERIFY=true git remote add

Second: By setting the http.sslVerify config value of the repo to false, like this:

git config http.sslVerify "false"

Warning: Please note that by turning SSL checks off you are exposing yourself to a possible security risk. While your connection will be SSL encrypted, the SSL certificate might be forged.

Solution 2

Add the certificate to the list of trusted certificates. Follow this:



1. Retrieve the certificate

$ echo -n | openssl s_client -showcerts -connect YOUR_HOST:443

Replace YOUR_HOST with the hostname or IP of your Git server.

2. Copy the certificate between and including the following enclosing tags:

/-BEGIN CERTIFICATE-/ and  /-END CERTIFICATE-/

3. Append the certificate to the file:

/etc/ssl/certs/ca-certificates.crt

This file can have other locations too. Determine the location of the ca-certificates.crt file by running:

$ curl-config --ca

Or to automatize create a script shown below. Do not forget to replace YOUR_HOST with the hostname or IP of your Git server in the script.

#!/bin/sh
hostname=YOUR_HOST
port=443
trust_cert_file_location=`curl-config --ca`

sudo bash -c "echo -n | openssl s_client -showcerts -connect ${hostname}:${port} \
 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
 >> ${trust_cert_file_location}"

As a prerequisite you might need to install the libcurl4-openssl-dev package:

$ sudo apt-get install libcurl4-openssl-dev

Resources

  1. server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: 
  2. Git remote and GIT_SSL_NO_VERIFY

Error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Tagged on:                 

Leave a Reply

Your email address will not be published. Required fields are marked *