我有一个网站用来托管redmine和几个git存储库
这对于http非常适合,但是我无法使用https克隆,即
git clone http://mysite.com/git/test.git工作正常,但是
git clone http://mysite.com/git/test.git
git clone https://mysite.com/git/test.git失败了
git clone https://mysite.com/git/test.git
奇怪的是,https似乎对我测试过的其他所有内容都起作用。如果我打开
https://mysite.com/git/test.git在浏览器(经过chrome和firefox测试)中,我没有收到任何错误或警告。我还可以
curl https://mysite.com/git/test.gitwget https://mysite.com/git/test.git两者都可以正常工作,没有任何抱怨或警告。
这是git的详细输出:
$ GIT_CURL_VERBOSE=1 git clone https://user@mysite.com/test/test.git Cloning into test... Password: * Couldn't find host mysite.com in the .netrc file; using defaults * About to connect() to mysite.com port 443 (#0) * Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0) * found 157 certificates in /etc/ssl/certs/ca-certificates.crt * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection #0 * Couldn't find host mysite.com in the .netrc file; using defaults * About to connect() to mysite.com port 443 (#0) * Trying 127.0.0.1... * Connected to mysite.com (127.0.0.1) port 443 (#0) * found 157 certificates in /etc/ssl/certs/ca-certificates.crt * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection #0 error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://user\ @mysite.com/test/test.git/info/refs fatal: HTTP request failed
这是curl的详细输出,其中的个人信息已更改:
* About to connect() to mysite.com port 443 (#0) * Trying 127.0.0.1... connected * Connected to mysite.com (127.0.0.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: C=US; <... cut my certs info ...> * start date: 2011-10-18 00:00:00 GMT * expire date: 2013-10-17 23:59:59 GMT * subjectAltName: mysite.com matched * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO High-Assurance Secure Server CA * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3 > Host: mysite.com > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 18 Oct 2011 21:39:54 GMT < Server: Apache/2.2.14 (Ubuntu) < Last-Modified: Fri, 14 Oct 2011 03:20:01 GMT < ETag: "8209c-87-4af39bb89ccac" < Accept-Ranges: bytes < Content-Length: 135 < Vary: Accept-Encoding < Content-Type: text/html < X-Pad: avoid browser bug < <p>Welcome to the mysite.com<p/> * Connection #0 to host mysite.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
我能看到的唯一区别是git似乎正在使用显式CAfile,而curl会使用整个目录?我是ssl的新手(至少在管理员方面),所以我不确定这是什么意思或如何配置git以使其与curl相同。
我在Ubuntu 10.04上使用git 1.7.5.4和apache 2.2.14。我尝试从3个不同的Linux主机(包括服务器本身上的另一个帐户)进行克隆,但没有任何效果。
我还使用了openssl工具来验证服务器上的证书:
$openssl verify -purpose sslserver -CAfile chain.crt signed.pem signed.pem: OK
这可能与错误https://bugs.maemo.org/show_bug.cgi?id=4953有关,但似乎有所不同,因为我在任何其他程序中均未收到任何警告或错误。
可能值得一提的是,我正在使用gitolite和redmine_git_hosting使用智能http通过https进行身份验证。我不认为这有什么错,因为即使我只是将一个原本可以工作的裸仓库粘贴在/ var / www中并直接访问它,也存在问题。此外,git over ssh(带或不带gitolite)均可工作。
如果您有任何疑问或想了解更多信息,请告诉我。我确实更喜欢让ssl正常工作,而不是强迫所有人在git中禁用证书检查,尽管这是当前的解决方法。