Repair SSL Certificate Problem, how to locate it and the handling strategy of common problems

During the development process, you may often encounter some https certificate related errors when using curl to request or git to clone the remote warehouse. We have sorted out some common errors and the summary of solutions to keep them updated. You are also welcome to provide other better solutions in your comments.

Knowledge supplement: what is SSL / TLS?

Transport Layer Security (TLS) and its predecessor, SSL (Secure Sockets Layer), are between the client (Web browser) and the server (Web sever) 🔐 The security standard protocol of encrypted communication aims to provide security and data integrity guarantee for Internet communication. At present, it has become the industrial standard of Internet confidential communication.

How to locate and analyze error messages

Tips: setting the debug mode helps you track and locate the real cause of specific problems (GIT_CURL_VERBOS is only valid under the http/s Transport Protocol)

# On Linux
export GIT_CURL_VERBOSE=1
export GIT_TRACE_PACKET=1
export GIT_TRACE=1

# On Window
set GIT_TRACE_PACKET=1
set GIT_TRACE=1 
set GIT_CURL_VERBOSE=1

# If python is installed on the current machine, you can quickly check the certificate path to help locate and solve the problem
python -c "import ssl; print(ssl.get_default_verify_paths())" 

# Use openssl to check the certificate status of the site
openssl s_client -showcerts -connect

common problem

Problem: SSL certificate problem: unable to get local issuer certificate

reason:

If the self signed certificate cannot be authenticated, client programs such as git or curl cannot trust the server's certificate, and in the Window environment, such problems will occur due to the problem of environment configuration.

Solution:

In case of such problems, the temporary global solution is to disable certificate verification, ⚠️ Be aware that this approach has potential security risks (may trigger man in the middle attacks MitM attacks).

# Global processing measures using git operations
# http.sslBackend: Name of the SSL backend to use (e.g. "openssl" or "schannel"). 
# This option is ignored if cURL lacks support for choosing the SSL backend at runtime.
git config --global http.sslBackend schannel

# perhaps
# http.sslVerify: A boolean to enable/disable verification of the server certificate used by the SSL/TLS connection.
# ⚠️ Do NOT do this!
git config --global http.sslVerify false

# You can also directly set environment variables to run git operations
GIT_SSL_NO_VERIFY=true git clone https://username@git.example.com/scm/repository.git

# Git Config Option Ref: https://git-scm.com/docs/git-config

If you can get the certificate.pem file from the server, you can try to tell the git program the location of the CA (Certificate Authority) bundle file to solve the problem:

# Convert the file into the X.509 format
# openssl-x509, x509 - Certificate display and signing utility
# https://www.openssl.org/docs/man1.0.2/man1/x509.html
openssl x509 -in certificate.pem -out certificate.crt
git config --system http.sslCAInfo /path/certificate.crt

# Alternatively, you can modify the configuration item of. gitconfig and reinstall git
git config --global -e

[http "https://your.domain.com"]
  # MUST be PEM format
  # Some situations require both the CAPath AND CAInfo 
  sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
  sslCAPath = /path/to/selfCA/
  sslVerify = true

  # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, 
  # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
  sslCert = /path/to/privatekey/myprivatecert.pem

  # Even if your PEM file is password protected, set this to false.
  # Setting this to true always asks for a password even if you don't have one.
  # When you do have a password, even with this set to false it will prompt anyhow. 
  sslCertPasswordProtected = 0

Tips: CA bundle is a file containing root certificate and intermediate certificate. It forms a complete certificate chain with the actual certificate file. The bundle file can be obtained in the following ways: cURL: curl.se/docs/caextract.html

How to obtain a self signed certificate is not described here.

Other client programs will encounter similar problems, such as pip / conda / node. You can try to solve them with similar ideas:

# curl code:
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);

# python package
pip config set global.cert path/to/ca-bundle.crt

# conda package
conda config --set ssl_verify path/to/ca-bundle.crt

In addition, in some rare cases, this problem will also occur when it is prohibited by firewall or anti-virus. You can try to close these software to verify whether it can be solved.

Related questions: fatal: unable to access‘ https://company.domain/project.git': SSL certificate problem: certificate has expired

If you encounter this problem after September 2021, you may be affected by Let's Encrypt DST Root CA X3 Expiration (September 2021) The following methods can be tried to solve the problem.

# Edit the file / etc/ca-certificates.conf, find the certificate and comment
!mozilla/DST_Root_CA_X3.crt

# Or direct command line processing
sudo sed -i -e 's/mozilla\/DST_Root_CA_X3\.crt/!mozilla\/DST_Root_CA_X3\.crt/g' /etc/ca-certificates.conf

# Run the command after saving the file
sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sudo update-ca-certificates
  • Mac OS X 10.13.6 (High Sierra) above, cURL (and thereforegit) rely on / etc/ssl/cert.pem to handle root certificate authentication. You can manually remove DST Root CA X3
  • If you use certbot, you also need to upgrade to the latest version. renew the site certificate to remove the potential problems of DST Root CA X3
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

In the Window environment, you can try to Upgrade git to the latest version , will solve the problem.

Relevant information

This article uses "CC by 4.0" License Agreement , you are welcome to reprint, modify or use again, but you need to indicate the source.

Author: Lone God / freedom Engineer
Article backup address (keep updated): whycode.yousails.com/d/1-ssl-certi...

Keywords: SSL devtools

Added by calumstevens on Sat, 30 Oct 2021 15:12:42 +0300