Problem
When accessing a Git server (pushing or pulling new commits), we get an error:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Analysis
Apparently, the certificate of your Git server is not trusted.
This usually happens if the Git server is using a self-signed SSL certificate, a Let’s Encrypt certificate (which gets renewed every at least 3 months) or simply because the certificate is expired.
BEWARE: This error might also mean that the Git server’s certificate is forged!
Solution
There are basically 3 solutions to this issue:
- Turning off the SSL cert check – fast with a possible security risk
- Appending a certificate to the system wide trusted ones – requires a bit of effort but more proper
- Adding the certificate to the ~/.gitconfig
Solution 1
The first “fast & dirty” solution is simply to disable the SSL certificate check. There are two approaches to achieve this:
First: By setting the GIT_SSL_NO_VERIFY environment variable by executing the following command:
$ export GIT_SSL_NO_VERIFY=true
You can set this also in your shell startup script (i.e. ~/.bashrc in case of Bash).
Setting GIT_SSL_NO_VERIFY=true will apply to all repos you are using.
If you want to turn off SSL checks only for some repos you can prefix your command with GIT_SSL_NO_VERIFY=true, for example:
$ GIT_SSL_NO_VERIFY=true git remote add
Second: By setting the http.sslVerify config value of the repo to false, like this:
git config http.sslVerify "false"
This will disable SSL certificate check for a specific repo only.
WARNING: Please note that by turning SSL checks off you are exposing yourself to a possible security risk. While your connection will be SSL encrypted, the SSL certificate might be forged.
You can also disable SSL checking for all repos:
git config --global http.sslVerify "false"
There is a -c switch which enables specific configuration parameter to be passed to git when cloning a repo:
git -c http.sslVerify=false clone example.com/path/to/git
If one wants to disable SSL checks for one specific git server hosting several repositories, one can run :
git config --bool --add http.https://example.com.sslverify false
This should add the setting to the user’s configuration.
Solution 2
Add the certificate to the list of trusted certificates. Follow this:
1. Retrieve the certificate
$ echo -n | openssl s_client -showcerts -connect YOUR_HOST:443
Replace YOUR_HOST with the hostname or IP of your Git server.
2. Copy the certificate between and including the following enclosing tags:
/-BEGIN CERTIFICATE-/ and /-END CERTIFICATE-/
3. Append the certificate to the file:
/etc/ssl/certs/ca-certificates.crt
This file can have other locations too. Determine the location of the ca-certificates.crt file by running:
$ curl-config --ca
Or to automatize create a script shown below. Do not forget to replace YOUR_HOST with the hostname or IP of your Git server in the script.
#!/bin/sh
hostname=YOUR_HOST
port=443
trust_cert_file_location=`curl-config --ca`
sudo bash -c "echo -n | openssl s_client -showcerts -connect ${hostname}:${port} \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
>> ${trust_cert_file_location}"
As a prerequisite you might need to install the libcurl4-openssl-dev package:
$ sudo apt-get install libcurl4-openssl-dev
Solution 3
One can add a certificate to trusted ones by adding the following into ~/.gitconfig :
[http]
sslCAInfo=/path/to/your/certificate/file.pem
where file.pem must contain a certificate either retrieved as described in Solution 2 or a self-signed one.
Or one can disable certificate verification by adding to ~/.gitconfig :
[http]
sslVerify = false
Of course ~ represents the user’s home directory.
Lastly one can disable SSL cert checks for a specific server:
[http]
sslVerify
[http "https://example.com"]
sslVerify = false
Resources
- server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile:
- Git remote and GIT_SSL_NO_VERIFY
- How do I set GIT_SSL_NO_VERIFY for specific repos only?
- config: “git config –get-urlmatch” parses section.<url>.key
- https://git-scm.com/docs/git-config#EXAMPLES