Usability of git-http-backend with self signed SSL certificates
Why makes it git so hard to use a self signed SSL certificate in conjunction with the https protocol?
At work we have a server for shared git repositories. For some reasons we can’t use the ssh protocoll to acces the repositories so we looked into the git-http-backend. So far so good but we want it encrypted, of course. So we used SSL with our self signed certificate:
git clone https://git.example.com/public Cloning into 'public'... error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.example.com/public/info/refs fatal: HTTP request failed`
Huh? Looking deeper into the problem it turns out that git uses curl for the http(s) transport and curl refuses to work with SSL certificates it cannot verify.
Ok, that’s not a bad thing. To circumvent that you can either set an
environment variable (
GIT_SSL_NO_VERIFY=1) to make curl ignore the
verification or install the certificate on your machine. The first option is
not very attractive on the long term as you’d have to do it on every operation
with the remote server, the second one is not very attractive when dealing
with multiple developers working on different operating systems. You’ll have
to explain to them how to install the certificate on their machine, and that
has to be done every time a new developer joins the team, yada, yada.
There is also an option in git (
http.sslverify) you can set where you can
tell git to ignore the verification of the SSL certificate for that
repository. The thing is you still have to set the environment variable on the
first clone and then you have to tell git to permanently ignore this issue for
that repository with the configuration option – a lot of stuff to remember.
Heck, looking on the interwebs I see may of the people with that problem
suggesting to shut of SSL cert verification permanently by setting it
I really wonder why git cannot simply tell the user that the SSL certificate cannot be verified and if you want to accept it permanently, temporarily or not. Every browser does that. Right now it just quits with an error and leaves the user with a cryptic error.
On the other side, when using git with a server providing the repositories via ssh. Git simply asks if you want to accept the key when you access the server for the first time and never bothers you again.