Why makes it git so hard to use a self signed SSL certificate in conjunction with the https protocol?
At work we have a server for shared git repositories. For some reasons we can’t use the ssh protocoll to acces the repositories so we looked into the git-http-backend. So far so good but we want it encrypted, of course. So we used SSL with our self signed certificate:
git clone https://git.example.com/public Cloning into 'public'... error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.example.com/public/info/refs fatal: HTTP request failed
Huh? Looking deeper into the problem it turns out that git uses curl for the http(s) transport and curl refuses to work with SSL certificates it cannot verify.
Ok, that’s not a bad thing. To circumvent that you can either set an
environment variable (
GIT_SSL_NO_VERIFY=1) to make curl ignore the
verification or install the certificate on your machine. The first
option is not very attractive on the long term as you’d have to do it on
every operation with the remote server, the second one is not very
attractive when dealing with multiple developers working on different
operating systems. You’ll have to explain to them how to install the
certificate on their machine, and that has to be done every time a new
developer joins the team, yada, yada.
There is also an option in git (
http.sslverify) you can set where you
can tell git to ignore the verification of the SSL certificate for that
repository. The thing is you still have to set the environment variable
on the first clone and then you have to tell git to permanently ignore
this issue for that repository with the configuration option — a lot of
stuff to remember. Heck, looking on the interwebs I see may of the
people with that problem suggesting to shut of SSL cert verification
permanently by setting it globally.
I really wonder why git cannot simply tell the user that the SSL certificate cannot be verified and if you want to accept it permanently, temporarily or not. Every browser does that. Right now it just quits with an error and leaves the user with a cryptic error.
On the other side, when using git with a server providing the repositories via ssh. Git simply asks if you want to accept the key when you access the server for the first time and never bothers you again.