During the development process, you may often encounter some https certificate related errors when using curl to request or git to clone the remote warehouse. We have sorted out some common errors and the summary of solutions to keep them updated. You are also welcome to provide other better solutions in your comments.
Knowledge supplement: what is SSL / TLS?
Transport Layer Security (TLS) and its predecessor, SSL (Secure Sockets Layer), are between the client (Web browser) and the server (Web sever) 🔐 The security standard protocol of encrypted communication aims to provide security and data integrity guarantee for Internet communication. At present, it has become the industrial standard of Internet confidential communication.
SSL latest technology application trend and suppliers( SSL certificate authority )Market distribution, You can click to view.
SSL certificate online check tool: What's My Chain Cert? | SSL Certificate Checker - Diagnostic Tool | DigiCert.com
If you want to build a free SSL certificate for the Server site, you can consider using Let's Encrypt: Let's Encrypt | Certbot
How to locate and analyze error messages
Tips: setting the debug mode helps you track and locate the real cause of specific problems (GIT_CURL_VERBOS is only valid under the http/s Transport Protocol)
# On Linux export GIT_CURL_VERBOSE=1 export GIT_TRACE_PACKET=1 export GIT_TRACE=1 # On Window set GIT_TRACE_PACKET=1 set GIT_TRACE=1 set GIT_CURL_VERBOSE=1 # If python is installed on the current machine, you can quickly check the certificate path to help locate and solve the problem python -c "import ssl; print(ssl.get_default_verify_paths())" # Use openssl to check the certificate status of the site openssl s_client -showcerts -connect
common problem
Problem: SSL certificate problem: unable to get local issuer certificate
reason:
If the self signed certificate cannot be authenticated, client programs such as git or curl cannot trust the server's certificate, and in the Window environment, such problems will occur due to the problem of environment configuration.
Solution:
In case of such problems, the temporary global solution is to disable certificate verification, ⚠️ Be aware that this approach has potential security risks (may trigger man in the middle attacks MitM attacks).
# Global processing measures using git operations # http.sslBackend: Name of the SSL backend to use (e.g. "openssl" or "schannel"). # This option is ignored if cURL lacks support for choosing the SSL backend at runtime. git config --global http.sslBackend schannel # perhaps # http.sslVerify: A boolean to enable/disable verification of the server certificate used by the SSL/TLS connection. # ⚠️ Do NOT do this! git config --global http.sslVerify false # You can also directly set environment variables to run git operations GIT_SSL_NO_VERIFY=true git clone https://username@git.example.com/scm/repository.git # Git Config Option Ref: https://git-scm.com/docs/git-config
If you can get the certificate.pem file from the server, you can try to tell the git program the location of the CA (Certificate Authority) bundle file to solve the problem:
# Convert the file into the X.509 format # openssl-x509, x509 - Certificate display and signing utility # https://www.openssl.org/docs/man1.0.2/man1/x509.html openssl x509 -in certificate.pem -out certificate.crt git config --system http.sslCAInfo /path/certificate.crt # Alternatively, you can modify the configuration item of. gitconfig and reinstall git git config --global -e [http "https://your.domain.com"] # MUST be PEM format # Some situations require both the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crt sslCAPath = /path/to/selfCA/ sslVerify = true # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it. sslCert = /path/to/privatekey/myprivatecert.pem # Even if your PEM file is password protected, set this to false. # Setting this to true always asks for a password even if you don't have one. # When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0
Tips: CA bundle is a file containing root certificate and intermediate certificate. It forms a complete certificate chain with the actual certificate file. The bundle file can be obtained in the following ways: cURL: curl.se/docs/caextract.html
How to obtain a self signed certificate is not described here.
Other client programs will encounter similar problems, such as pip / conda / node. You can try to solve them with similar ideas:
# curl code:
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
# python package
pip config set global.cert path/to/ca-bundle.crt
# conda package
conda config --set ssl_verify path/to/ca-bundle.crtIn addition, in some rare cases, this problem will also occur when it is prohibited by firewall or anti-virus. You can try to close these software to verify whether it can be solved.
Related questions: fatal: unable to access‘ https://company.domain/project.git': SSL certificate problem: certificate has expired
If you encounter this problem after September 2021, you may be affected by Let's Encrypt DST Root CA X3 Expiration (September 2021) The following methods can be tried to solve the problem.
- Ubuntu 14.04 LTS (Trusty Tahr) or Ubuntu 16.04.6 LTS (Xenial Xerus) operating environment:
# Edit the file / etc/ca-certificates.conf, find the certificate and comment !mozilla/DST_Root_CA_X3.crt # Or direct command line processing sudo sed -i -e 's/mozilla\/DST_Root_CA_X3\.crt/!mozilla\/DST_Root_CA_X3\.crt/g' /etc/ca-certificates.conf # Run the command after saving the file sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt sudo update-ca-certificates
- Mac OS X 10.13.6 (High Sierra) above, cURL (and thereforegit) rely on / etc/ssl/cert.pem to handle root certificate authentication. You can manually remove DST Root CA X3
- If you use certbot, you also need to upgrade to the latest version. renew the site certificate to remove the potential problems of DST Root CA X3
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
In the Window environment, you can try to Upgrade git to the latest version , will solve the problem.
Relevant information
- KSE Manual - User Interface Overview
- Git for Windows: SSL certificate problem: certificate has expired
- DST Root CA X3 Expiration (September 2021) - Let's Encrypt
This article uses "CC by 4.0" License Agreement , you are welcome to reprint, modify or use again, but you need to indicate the source.
Author: Lone God / freedom Engineer
Article backup address (keep updated): whycode.yousails.com/d/1-ssl-certi...