Adding self-signed SSL certificate without disabling authority-signed ones

37
votes

I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:

$ git pull
fatal: unable to access 'https://[email protected]/git/fizzbuzz.git/': SSL certificate problem: self signed certificate

The github remote works fine.

There are two often-suggested solutions:

git config http.sslVerify false

which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:

git config http.sslCAInfo <downloaded certificate>.pem

which fixes pulling from origin, but break the github remote:

$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate

How to make pulling from the corporate server work without breaking pulling from github?

2
gitsslgithub

2 Answers

69
votes

If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).

In your case:

git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false

That would disable SSL verification only for code.example.com, not for other URLs.

Or:

git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem

Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.

It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.

4
votes

As of v2.5.0 of Git for Windows, the installed certificate file has moved to C:\Program Files (x86)\Git\mingw32\ssl\certs\ca-bundle.crt. You have to add your certs into this file.