Problem
When accessing a Git server (pushing or pulling new commits), we get an error:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Analysis
Apparently, the certificate of your Git server is not trusted.
This can happen if the Git server uses for example a Let’s Encrypt certificate which gets renewed every at least 3 months.
Solution
There are basically 2 solutions to this issue. One fast with a possible security risk and second which requires a bit of effort but is more proper.
Solution 1
The first “fast & dirty” solution is simply to disable the SSL certificate check. There are two approaches to achieve this:
First: By setting the GIT_SSL_NO_VERIFY environment variable by executing the following command:
$ export GIT_SSL_NO_VERIFY=true
You can set this also in your shell startup script (i.e. ~/.bashrc in case of Bash).
Beware: Setting GIT_SSL_NO_VERIFY=true will apply to all repos you are using.
If you want to turn off SSL checks only for some repos you can prefix your command with GIT_SSL_NO_VERIFY=true, for example:
$ GIT_SSL_NO_VERIFY=true git remote add
Second: By setting the http.sslVerify config value of the repo to false, like this:
git config http.sslVerify "false"
Warning: Please note that by turning SSL checks off you are exposing yourself to a possible security risk. While your connection will be SSL encrypted, the SSL certificate might be forged.
Solution 2
Add the certificate to the list of trusted certificates. Follow this:
1. Retrieve the certificate
$ echo -n | openssl s_client -showcerts -connect YOUR_HOST:443
Replace YOUR_HOST with the hostname or IP of your Git server.
2. Copy the certificate between and including the following enclosing tags:
/-BEGIN CERTIFICATE-/ and /-END CERTIFICATE-/
3. Append the certificate to the file:
/etc/ssl/certs/ca-certificates.crt
This file can have other locations too. Determine the location of the ca-certificates.crt file by running:
$ curl-config --ca
Or to automatize create a script shown below. Do not forget to replace YOUR_HOST with the hostname or IP of your Git server in the script.
#!/bin/sh
hostname=YOUR_HOST
port=443
trust_cert_file_location=`curl-config --ca`
sudo bash -c "echo -n | openssl s_client -showcerts -connect ${hostname}:${port} \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
>> ${trust_cert_file_location}"
As a prerequisite you might need to install the libcurl4-openssl-dev package:
$ sudo apt-get install libcurl4-openssl-dev
Resources
- server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile:
- Git remote and GIT_SSL_NO_VERIFY