This site provides https support in order to support the Git smart HTTP push protocol.

This obviously requires this site to have an SSL server certificate. In order to avoid the hassle (and the cost) of getting an SSL server certificate that has been signed by a root certificate already included (and trusted) by your browser, this site uses its own root certificate.

Git version 1.8.5 and later can quickly and easily be configured (see the “Quick Setup” section below) to use this root certificate ONLY for connections to https://repo.or.cz. This configuration is the equivalent of answering “yes” to the ssh “Are you sure you want to continue connecting?” prompt when you first connect to a new ssh server.

The root certificate for this site (https://repo.or.cz) is available from:

md5: b35b3d0336fdc42df1fe57580a53c061
sha1: b5d81fbe0c16fa5f7d1c94a881d8b391b5938faf
blob: 1fa24472709b357f7c434c1f48c6fd6e238ce8fb

See also the full instructions on configuring your Git client for https push.

For information on how to push to the mob branch using https see here.

Quick Setup

These instructions require Git version 1.8.5 or later.

The following shell commands (which can be copied and pasted into a terminal window) will download the root certificate to ~/certs/rorcz_root_cert.pem using curl and then configure Git to use it ONLY for connections to https://repo.or.cz.

mkdir -p ~/certs
cd ~/certs
curl -kO https://repo.or.cz/rorcz_root_cert.pem
git config --global http.https://repo.or.cz.sslCAInfo \
git hash-object --no-filters ~/certs/rorcz_root_cert.pem

Verify that the hash value output by git hash-object matches the “blob:” hash value shown at the top of this page.


A side effect of using an unrecognized root certificate is that Git may complain with an error such as:

error: server certificate verification failed

To see this error in action, simply execute this git command:

git ls-remote https://repo.or.cz/girocco.git

Instead of downloading the server’s root certificate, server certificate verification may be disabled with one of these techniques:

  1. Set the GIT_SSL_NO_VERIFY environment variable like so:
    GIT_SSL_NO_VERIFY=1 git ls-remote https://repo.or.cz/girocco.git
  2. Temporarily set the git configuration variable http.sslVerify like so:
    git -c http.sslVerify=false \
    ls-remote https://repo.or.cz/girocco.git

    Note that the -c option requires Git version 1.7.2 or later.

Or, after downloading the root certificate for this site, the error may be avoided through various methods by specifying the root certificate.
For each of these methods, the root certificate will be assumed to be downloaded and saved to the file $HOME/certs/rorcz_root_cert.pem.

Using Git version 1.8.5 or later (recommended):

  1. Configure the global http.sslCAInfo variable but only for this site like so:
    git config --global http.https://repo.or.cz.sslCAInfo \

    Note that this technique requires Git version 1.8.5 or later on the client but has the advantage of only needing to be done once.

Using any version of Git:

  1. Set the GIT_SSL_CAINFO environment variable before running git like so:
    GIT_SSL_CAINFO=$HOME/certs/rorcz_root_cert.pem \
    git ls-remote https://repo.or.cz/girocco.git
  2. Temporarily set the git configuration variable http.sslCAInfo like so:
    git -c http.sslCAInfo=$HOME/certs/rorcz_root_cert.pem \
    ls-remote https://repo.or.cz/girocco.git
  3. Configure the git http.sslCAInfo variable like so:
    git config http.sslCAInfo $HOME/certs/rorcz_root_cert.pem

    Note that this technique works best after the repository has already been cloned or initialized.

For further details see the git help config output.

(view source)