How to embed self signed certs and how to avoid not verifying https URLs with git

Working with self signed certificates can be hard. Here is how you can avoid forgoing certificate validation in git with self signed certificates.

One of our Clients has high demands on the protection of its data and code.

They run their own, self hosted git server and it is only accessible via https.

The original suggestion to make it work, was to deactivate ssl certificate validation on our computers. Luckily, git allows for a simpler solution, even though it's not straight forward to get there.

First, you need the public key of the certification authority that signed the the ssl key the server uses. A self signed certificate signed is its own certification authority. The proper way would be to ask the client to provide the certificate via a secure channel. The improper way is to just download the certificate. Improper, because how do you know it is the right certificate. It is still better than not doing certificate validation at all.

Getting the certificate the insecure way

You can ask a webserver to return its certificate and CA certificates with openssl:

openssl s_client -showcerts -connect yourserver:443 </dev/null

This returns a lot of data you don't want all of it, only the last block that starts with "BEGIN CERTIFCATE" and ends with "END CERTIFICATE". Here is the same command with a pipe to a little awk script to do just that:

openssl s_client -showcerts -connect yourserver:443 </dev/null | awk '/-----BEGIN CERTIFICATE-----/ {start=1; cert=""};/-----END CERTIFICATE-----/ {start=0; cert=cert $0; };{if (start) cert=cert $0 "\n"}; END {print cert}' > yourserver.pem

Now that we have the certificate, we must teach git to use it.

We can teach git to use the certificate, but if we use it globally, we would not be using the standard CA certificates any longer. So we can only use the certificate for specific repositories.

While we can easily modify the configuration for a specific git checkout, we must first check it out.

How to use the new certificate with git

To bootstrap git, you enter:

GIT_SSL_CAINFO=yourserver.pem git clone https://YOURSERVER.../

Now, we can add the specific entry to the configuration in PROJECT/.git/config at the end of the file

    sslCAInfo = /home/mememe/project/yourserver.pem

Please be aware that you must enter the full path.

Now you are done and can securely use git pull and push.

How to use it with mr.developer

Bootstrapping a buildout with mr.developer can be done with the same prefix as the git clone. Unfortunately it will NOT work if you have mixed git repositories and need more certificates, for example for github https urls. You could avoid it by downloading the github certificate too, and attach it to the already existing pem file.