服务器证书验证失败。CAfile:/etc/ssl/certs/ca-certificates.crt文件:无
我可以使用ssh推送克隆项目,但当我使用https克隆项目时,它不起作用 显示给我的错误消息是:服务器证书验证失败。CAfile:/etc/ssl/certs/ca-certificates.crt文件:无,certificate,ssl-certificate,gitlab,Certificate,Ssl Certificate,Gitlab,我可以使用ssh推送克隆项目,但当我使用https克隆项目时,它不起作用 显示给我的错误消息是: server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none TLDR: hostname=XXX port=443 trust_cert_file_location=`curl-config --ca` sudo bash -c "echo -n | op
server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none
hostname=XXX
port=443
trust_cert_file_location=`curl-config --ca`
sudo bash -c "echo -n | openssl s_client -showcerts -connect $hostname:$port -servername $hostname \
2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
>> $trust_cert_file_location"
在没有尽职调查的情况下,盲目地将所有(任何)证书添加到您的trustStore不是最好的做法
长答案 基本原因是您的计算机不信任签署Gitlab服务器上使用的证书的证书颁发机构。这并不意味着证书可疑,但它可以是自签名的,也可以是由不在操作系统CA列表中的机构/公司签名的。如果你没有任何理由怀疑这个证书,你要做的就是告诉它信任这个证书 您需要检查用于gitLab服务器的web证书,并将其添加到
/bin/curl ca bundle.crtexport GIT_SSL_NO_VERIFY=1
#or
git config --global http.sslverify false
要获取该证书(您需要将其添加到
curl ca bundle.crtyourserver.comYourHttpsGitlabPort443-servername加上: 要识别
curl ca bundle.crt另外,请参阅我最近的答案“”:您可能必须重新注册所有这些证书:
sudo apt-get install --reinstall ca-certificates
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
export GIT_SSL_NO_VERIFY=1
它适用于我,我正在使用Linux系统。此问题的另一个原因可能是您的时钟可能已关闭。证书对时间敏感 要检查当前系统时间,请执行以下操作:
date -R
您可以考虑安装,以自动同步系统时间与可信互联网时间服务器。例如,要在Debian/Ubuntu上安装:
apt-get install ntp
应该告诉你问题出在哪里。在我的例子中,这是因为cURL在针对NSS构建时不支持PEM证书,因为该支持不是NSS()中的主线。也有同样的问题。由自颁发的证书颁发机构引起。 通过将.pem文件添加到/usr/local/share/ca certificates/ 和呼唤
sudo update-ca-certificates
PS:pem文件在文件夹中。/share/ca证书必须有扩展名.crt我刚刚遇到了git存储库的同样问题,它总是适合我。问题是我通过公共WiFi访问它,在第一次连接时重定向到一个专属门户(例如显示广告和同意tos)。我在设置goagent代理时弄乱了CA文件。无法从github提取数据,并收到相同的警告: 服务器证书验证失败。CAfile:/etc/ssl/certs/ca-certificates.crt文件:无 使用Vonc的方法,从github获取证书,并将其放入/etc/ssl/certs/ca-certificates.crt,问题得到解决 echo-n | openssl s|u client-showcerts-connect github.com:443 2>/dev/null | sed-ne'/-BEGIN CERTIFICATE-/,/-END certicate-/p'
我在Raspberry pi 2上安装了Xubuntu,随着时间的推移发现了相同的问题,因为NTP和自动服务器同步已关闭(或未安装)。获得NTP
sudo apt-get install ntp
并将“时间和日期”从“手动”更改为“与Internet服务器保持同步”无需将git ssl验证设置为false。这是由于系统没有所有CA颁发机构证书而导致的。大多数拥有正版SSL证书的人缺少中间证书 只需将中间证书的完整文本(缺少CA和中间证书的整个链)添加到 无需运行
更新ca证书最后:推送成功:一切都是最新的检查您的系统时钟
$date$apt get install ntp最后再次输入clone命令。最后,将http.sslverify添加到.git/config中
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://server/user/project.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[http]
sslVerify = false
或者只需运行此注释即可将服务器证书添加到数据库中:
echo$(echo-n | openssl s|u client-showcerts-connectyourserver.com:yourtpgilabport 2>/dev/null | sed-ne'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')>/etc/ssl/certs/ca-certificates.crt
然后再次执行git克隆。如果您在专用网络中使用git服务器,并且使用自签名证书或IP地址上的证书;您也可以简单地使用git全局配置来禁用ssl检查:
git config --global http.sslverify "false"
将证书和捆绑包复制到一个.crt文件中,并确保文件中的证书之间有一个空行
在尝试了互联网上的一切之后,我在GitLab服务器上成功了。我在终端上解决了这个问题(Ubuntu 18.04):
我有两块证书块。我将证书块复制到我的证书文件中,以
/etc/ssl/certs/ca certificates.crtGIT_CURL_VERBOSE=1 git [clone|fetch]…
sudo update-ca-certificates
sudo apt-get install ntp
sudo gedit /etc/ssl/certs/ca-certificates.crt
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://server/user/project.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[http]
sslVerify = false
git config --global http.sslverify "false"
openssl s_client -showcerts -servername www.github.com -connect www.github.com:443
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
mkdir -p /etc/ssl/certs
chmod u+rwx,go+rx /etc/ssl /etc/ssl/certs
mkdir /etc/ssl/certs/java
chmod u+rwx,go+rx /etc/ssl/certs/java
update-ca-certificates
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
stderr fatal: unable to access server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblha
-----END CERTIFICATE-----
echo -n | openssl s_client -showcerts -servername www.github.com -connect www.github.com:443 2>/dev/null | tac | awk '/-END CERTIFICATE-/{f=1} f;/-BEGIN CERTIFICATE-/{exit}' | tac | openssl x509 -noout -subject -issuer
subject=C = US, O = "DigiCert, Inc.", CN = DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
sudo mv <downloaded.crt.pem> /usr/local/share/ca-certificates/<downloaded.crt>
sudo update-ca-certificates
echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpsGitlabPort 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /c/Program\ Files/Git/mingw64/ssl/certs/ca-bundle.trust.crt
$ git config --global http.sslBackend schannel
$ git config --global http.sslverify true