16

İ install my own git server in distant machine with ssl.

whene i use this command:

env GIT_SSL_NO_VERIFY=true git clone https://xxx.xxx.xxx.xxx/git/project.git

all is fine, and with env GIT_SSL_NO_VERIFY=true all git command work fine.

but i need pull and push with netbeans ide, so with netbeans ide i connot add this

env GIT_SSL_NO_VERIFY=true

so netbeans say:

Cannot connect to the remote repository at https://xxx.xxx.xxx.xxx/git/project.git

What i need to do?

Improve this question

3 Answers 3

Reset to default
33

You could do this (from the git-config manual page):

git config --global http.sslVerify false

But what's the point of having it on an https server if the certificate won't properly validate?

Improve this answer
10
  • İ try this but netbeans always the same he can't pull or fetch repos
    – RaKoDev
    Commented Sep 23, 2012 at 10:19
  • 1
    One good reason for using this option is to use it as a workaround, while the server admin fixes the server certificate :D
    – Matthias B
    Commented Dec 19, 2012 at 11:28
  • 1
    Or, for smaller devs who run simple server setups behind a VPN, a signed cert is overkill.
    – Chase Florell
    Commented Mar 26, 2013 at 19:41
  • @Chase, why wouldn't you just use HTTP then? Security by obscurity because you don't want casual observers to know the URLs of your repositories? (If they knew nobody was checking the certificate, they could just launch a MitM attack to find out that info.)
    – mpontillo
    Commented Mar 26, 2013 at 19:55
  • 1
    @user1261959 buzzwords aside (pfsense and squid really aren't really relevant here), it really depends on your threat model. But anyone with access to your network and the skills and motivation could intercept or change the traffic between your git server and whoever is pulling/pushing from it in this way. Think about it; they could send traffic to their own server and deliver a certificate signed by whoever they want, and the client would trust it! Then they could talk to the real server themselves on your behalf, and you might not even detect the intrusion.
    – mpontillo
    Commented Dec 23, 2015 at 6:31
7

If the https server uses a self-signed certificate, save it to your local machine's hard disk (in .crt format), and add this to .git/config for the relevant working copy

[http]
        sslCAInfo=/path/to/your-server-certificate.crt

That will make it always expect that certificate when connecting to the https server in question, and not otherwise.

Improve this answer
7
  • Yeah, I like this solution better since it doesn't subvert the entire purpose of https. The whole concept of GIT_SSL_NO_VERIFY just seems wrong. You might as well just put your source code on a plain http:// server if you aren't going to validate the certificate.
    – mpontillo
    Commented Sep 22, 2012 at 8:34
  • İ was generate my certificate in the server like this: openssl req $@ -new -x509 -days 1460 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key i copy / paste /etc/apache2/ssl/apache.pem in this file: /home/www/mycert.crt in my local repos i try to add this: [http] sslCAInfo=/home/www/mycert.crt But with netbeans i can't pull or fetch repos :(
    – RaKoDev
    Commented Sep 23, 2012 at 10:17
  • I don't know for sure that this is your problem, but, PEM and CRT are different formats, and I think Git insists on CRT. You can convert it like so: openssl x509 -in /etc/apache2/ssl/apache.pem -inform PEM -out /home/www/mycert.crt -outform DER. (Do that instead of copying the file over.) Then test it by doing git fetch from the command line in the repo that you want to use Netbeans with. If that works and netbeans still doesn't, I am out of ideas.
    – zwol
    Commented Sep 23, 2012 at 13:26
  • If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall
    – Nullpointer
    Commented Dec 22, 2015 at 12:44
  • @user1261959 No and no. Do not do that.
    – zwol
    Commented Dec 22, 2015 at 13:17
0

Agreed with other posters that GIT_SSL_NO_VERIFY or other means of preventing certificate verification is not the right solution. The best solution only takes a few seconds to implement, and is found in this answer: https://stackoverflow.com/a/8467406/994153 It involves downloading the certificate .pem file and setting the Git configuration variable http.sslCAinfo to point to the file.

Improve this answer
2
  • If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall
    – Nullpointer
    Commented Dec 22, 2015 at 12:46
  • If you set sslVerify to false, then the connection is insecure, losing all guarantee of confidentiality and integrity.
    – Colin D Bennett
    Commented Dec 22, 2015 at 19:42

Not the answer you're looking for? Browse other questions tagged or ask your own question.