html/rootcert.html

   1 @section=site guide
   2 @heading=Root Certificate
   3 @header
   4
   5 <!-- This file is preprocessed by cgi/html.cgi -->
   6
   7
   8 <p>This site provides https support in order to support the Git smart HTTP
   9 push protocol.</p>
  10
  11 <p>This obviously requires this site to have an SSL server certificate.  In order
  12 to avoid the hassle (and the cost) of getting an SSL server certificate that
  13 has been signed by a root certificate already included (and trusted) by your
  14 browser, this site uses its own root certificate.</p>
  15
  16 <p>The root certificate for this site is available from:</p>
  17 <blockquote>
  18 <a href="@@path(webadmurl)@@/@@nickname@@_root_cert.pem">@@server(webadmurl)@@/@@nickname@@_root_cert.pem</a>
  19 <br />
  20 md5: <tt>@@md5(@@nickname@@_root_cert.pem)@@</tt>
  21 <br />
  22 sha1: <tt>@@sha1(@@nickname@@_root_cert.pem)@@</tt>
  23 </blockquote>
  24
  25 <p>Also see the <a href="@@path(htmlurl)@@/httpspush.html">full instructions on configuring your Git client for https push</a>.</p>
  26
  27 <p>A side effect of using an unrecognized root certificate is that Git may
  28 complain with an error such as:</p>
  29 <blockquote>
  30 <tt>error: server certificate verification failed</tt>
  31 </blockquote>
  32
  33 <p>To see this error in action, simply execute this git command:</p>
  34 <blockquote><pre>
  35 git ls-remote @@httpspushurl@@/girocco.git
  36 </pre></blockquote>
  37
  38 <p>Instead of downloading the server&#x2019;s root certificate, server certificate verification may be disabled with one of these techniques:</p>
  39
  40 <ol>
  41 <li>Set the <tt>GIT_SSL_NO_VERIFY</tt> environment variable like so:
  42 <pre>
  43 GIT_SSL_NO_VERIFY=1 git ls-remote @@httpspushurl@@/girocco.git
  44 </pre></li>
  45
  46 <li>Temporarily set the git configuration variable <tt>http.sslVerify</tt> like so:
  47 <pre>
  48 git -c http.sslVerify=false \
  49 ls-remote @@httpspushurl@@/girocco.git
  50 </pre>
  51 <p>Note that the <tt>-c</tt> option requires Git version 1.7.2 or later.</p></li>
  52 </ol>
  53
  54 <p>Or, after downloading the root certificate for this site, the error may be
  55 avoided through various methods by specifying the root certificate.<br />
  56 For each of these methods, the root certificate will be assumed to be downloaded
  57 and saved to the file <tt>$HOME/certs/@@nickname@@_root_cert.pem</tt>.</p>
  58
  59 <p id="git185">Using Git version 1.8.5 or later (recommended):</p>
  60
  61 <ol>
  62 <li>Configure the global <tt>http.sslCAInfo</tt> variable but only for this site like so:
  63 <pre>
  64 git config --global http.@@base(httpspushurl)@@.sslCAInfo \
  65                     $HOME/certs/@@nickname@@_root_cert.pem
  66 </pre>
  67 <p>Note that this technique requires Git version 1.8.5 or later on the client but has the advantage of only needing to be done once.</p></li>
  68 </ol>
  69
  70 <p>Using any version of Git:</p>
  71
  72 <ol start="2">
  73 <li>Set the <tt>GIT_SSL_CAINFO</tt> environment variable before running git like so:
  74 <pre>
  75 GIT_SSL_CAINFO=$HOME/certs/@@nickname@@_root_cert.pem \
  76 git ls-remote @@httpspushurl@@/girocco.git
  77 </pre></li>
  78
  79 <li>Temporarily set the git configuration variable <tt>http.sslCAInfo</tt> like so:
  80 <pre>
  81 git -c http.sslCAInfo=$HOME/certs/@@nickname@@_root_cert.pem \
  82 ls-remote @@httpspushurl@@/girocco.git
  83 </pre></li>
  84
  85 <li>Configure the git <tt>http.sslCAInfo</tt> variable like so:
  86 <pre>
  87 git config http.sslCAInfo $HOME/certs/@@nickname@@_root_cert.pem
  88 </pre>
  89 <p>Note that this technique works best after the repository has already been cloned
  90 or initialized.</p></li>
  91 </ol>
  92
  93 <p>For further details see the <tt>git help config</tt> output.</p>
  94
  95 @@ifmob@@
  96 <p>For information on how to push to the mob branch using https see <a href="@@path(htmlurl)@@/mob.html#httpsmobpush">here</a>.</p>
  97 @@end@@