sto*_*tic 23 apache git ssl redmine
我有一个网站,我用来托管redmine和几个git存储库
这适用于http,但我不能用https克隆,即
git clone http://mysite.com/git/test.git
工作正常,但是
git clone https://mysite.com/git/test.git
失败
奇怪的是,https似乎适用于我测试的其他所有内容.如果我打开
https://mysite.com/git/test.git
在浏览器中(在chrome和firefox中测试),我没有错误或警告.我还可以
curl https://mysite.com/git/test.git
wget https://mysite.com/git/test.git
两者都没有投诉或警告.
这是git的详细输出:
$ GIT_CURL_VERBOSE=1 git clone https://user@mysite.com/test/test.git
Cloning into test...
Password:
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
* Couldn't find host mysite.com in the .netrc file; using defaults
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0)
* found 157 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://user\
@mysite.com/test/test.git/info/refs
fatal: HTTP request failed
以下是curl的详细输出,个人信息已更改:
* About to connect() to mysite.com port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to mysite.com (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=US; <... cut my certs info ...>
* start date: 2011-10-18 00:00:00 GMT
* expire date: 2013-10-17 23:59:59 GMT
* subjectAltName: mysite.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO High-Assurance Secure Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: mysite.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Oct 2011 21:39:54 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Last-Modified: Fri, 14 Oct 2011 03:20:01 GMT
< ETag: "8209c-87-4af39bb89ccac"
< Accept-Ranges: bytes
< Content-Length: 135
< Vary: Accept-Encoding
< Content-Type: text/html
< X-Pad: avoid browser bug
<
<p>Welcome to the mysite.com<p/>
* Connection #0 to host mysite.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
我能看到的唯一区别是,当curl使用整个目录时,git似乎使用了显式CA文件?我是ssl的新手(至少在管理员方面),所以我不确定这意味着什么,或者我如何配置git以与curl相同的方式工作.
我在Ubuntu 10.04上使用git 1.7.5.4和apache 2.2.14.我尝试从3个不同的Linux主机(包括服务器本身的另一个帐户)进行克隆,但没有任何效果.
我还使用openssl工具在服务器上验证我的证书:
$openssl verify -purpose sslserver -CAfile chain.crt signed.pem
signed.pem: OK
这可能与错误https://bugs.maemo.org/show_bug.cgi?id=4953有关,但它似乎有所不同,因为我没有在任何其他程序中收到任何警告或错误.
值得一提的是,我使用gitolite和redmine_git_hosting使用智能http通过https进行身份验证.我不认为这有任何问题,因为即使我只是在/ var/www中使用其他工作的裸仓库并直接访问它,问题仍然存在.此外,git over ssh(有和没有gitolite)工作.
如果您知道可能出现的问题,或者您想了解更多信息,请与我们联系.我真的更喜欢让ssl正常工作,而不是强迫所有人在git中禁用证书检查,尽管这是当前的解决方法.
感谢您阅读这篇长篇文章!
sto*_*tic 17
事实证明这是一个gnuTLS问题.gnuTLS是对订单敏感的,而openssl则不是.我在我的中间证书文件中重新订购了证书,问题就消失了
Pet*_*ark 11
XCondE的答案将解决这个问题,但关闭安全警告总是一个坏主意.如果您在ubuntu框上运行,则问题可能是您的Web服务器的CA证书不在/etc/ssl/certs/ca-certificates.crt文件中.我遇到了一个托管在Web服务器上的git服务器,其中包含由www.incommon.org签名的SSL证书.
您可以将中间证书添加到ca-certificates文件中,如下所示:
wget http://cert.incommon.org/InCommonServerCA.crt
openssl x509 -inform DER -in InCommonServerCA.crt -out incommon.pem
cat /etc/ssl/certs/ca-certificates.crt incommon.pem > ca-certs2.crt
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
sudo cp ca-certs2.crt /etc/ssl/certs/ca-certificates.crt
关于幕后发生的事情有一个很好的讨论:http: //curl.haxx.se/docs/sslcerts.html
| 归档时间: |
|
| 查看次数: |
28856 次 |
| 最近记录: |