CODEWITHSUNDEEP
git
assembler
assembler

Reputation: 3300

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none after changing to https

I was using ssh to conect my git repository, but I needed to change to https. And now when I try to:

git pull --rebase origin develop

I got:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I went to /etc/ssl/certs/ca-certificates.crt and rename that file but didn't work, so I left it as it was.

Here is what I did:

git remote set-url origin https://<my_username>@<my_git_repository>.git

and then

git remote -v

It returned:

origin  https://<my_username>@<my_git_repository>.git (fetch)
origin  https://<my_username>@<my_git_repository>.git (push)

I am using Linux Mint 19.3 and I can't a solution for this. How shall I proceed in order to solve this?

Upvotes: 0

Views: 6545

Answers (1)

bk2204
bk2204

Reputation: 76489

This message means that the server you're connecting to doesn't have a valid TLS certificate and therefore a secure connection cannot be made. The file that's mentioned in the system certificate store of trusted certificates, which is printed by Git to help you determine what's trusted. You should not modify it, rename it, or delete it, because doing so can break all TLS verification on your system.

Ideally, your friend would use a valid TLS certificate, in which case everything should just work. Let's Encrypt provides free certificates and there's an easy-to-use tool called certbot that can request and install them automatically. Asking your friend to configure their server securely is the best possible way to go here.

If that's not possible for some reason, you can ask your friend for the certificate they're using in PEM format and save that in a file, and then set http.sslCAInfo to that file name. That's also secure, but it's a bit of a hassle. You could also try to extract the certificate by using openssl s_client to connect to the server and use the certificate printed there as the source for http.sslCAInfo, but you have no guarantee that someone isn't intercepting your connection and substituting a false certificate.

It is possible to disable TLS certificate verification by setting http.sslVerify to false, but this means that your data is completely insecure and can be tampered with, deleted, destroyed, and read by any sufficiently determined party on the Internet. It is no better than using plain HTTP and should be a last resort, since this is a bad security practice.

Upvotes: 3

Related Questions