self signed certificate in certificate chain

> node-nightly --inspect --debug-brk build/build.js

Downloading the nightly version, hang on...
FetchError: request to https://nodejs.org/download/nightly/index.json failed, reason: self signed certificate in certificate chain
at ClientRequest.<anonymous> (C:\Users\clu\AppData\Roaming\npm\node_modules\node-nightly\node_modules\node-fetch\index.js:133:11)
at ClientRequest.emit (events.js:310:20)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:310:20)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21) {
type: 'system',
errno: 'SELF_SIGNED_CERT_IN_CHAIN',
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

self signed certificate in certificate chain

If you're behind the corporate proxy (which uses e.g. Blue Coat), you should use http instead of https for repository addresses, e.g.

npm config set registry="http://registry.npmjs.org/"

See: Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN while using npm.


You can also import failing self-certificate into your system and mark as trusted, or temporary disable SSL validation while installing packages (quick, but not recommended method):

npm config set strict-ssl false

See: Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN while using npm.


The recommended way (and more painful) is just to point to the right certificate file, e.g.

npm config set cafile "<path to your certificate file>"

See: How to fix SSL certificate error when running Npm on Windows?.

前面两个方法都是无效的,只能尝试导入证书

 

Fix Git Self Signed Certificate in Certificate Chain on Windows

 通过命令git config --list --show-origin找到git证书的位置

C:/Program Files/Git/etc/gitconfig http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

 

Using your favorite text editor you can open up your ca-bundle.crt file that you copied & your .cer files you exported from the browser. Copy the entire .cer text including the ----BEGIN CERTIFICATE--- and ----END CERTIFICATE--- to the bottom of your ca-bundle.crt file. Do this for all the .cer files you exported.

 

1.复制一份git的证书

2.然后把导出的node.js的证书,复制到git的证书下面(直接用notepad++操作)

3.配置npm证书

npm config set cafile 'C:\Users\clu\chuck-ca-bundle.crt'

 

还需要到处websense public primary certificate authority证书 

 

How can I make git accept a self signed certificate?

回答1

To permanently accept a specific certificate

Try http.sslCAPath or http.sslCAInfo. Adam Spiers's answer gives some great examples. This is the most secure solution to the question.

To disable TLS/SSL verification for a single git command

try passing -c to git with the proper config variable, or use Flow's answer:

git -c http.sslVerify=false clone https://example.com/path/to/git

To disable SSL verification for a specific repository

If the repository is completely under your control, you can try:

git config --global http.sslVerify false

There are quite a few SSL configuration options in git. From the man page of git config:

http.sslVerify
    Whether to verify the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_NO_VERIFY environment variable.

http.sslCAInfo
    File containing the certificates to verify the peer with when fetching or pushing
    over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.

http.sslCAPath
    Path containing files with the CA certificates to verify the peer with when
    fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CAPATH environment variable.

A few other useful SSL configuration options:

http.sslCert
    File containing the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CERT environment variable.

http.sslKey
    File containing the SSL private key when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_KEY environment variable.

http.sslCertPasswordProtected
    Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
    prompt the user, possibly many times, if the certificate or private key is encrypted.
    Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.

 

回答2

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

To give a specific example: the famous repo.or.cz repository provides a self-signed certificate. I can download that file, place it somewhere like /etc/ssl/certs, and then do:

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

Note that using local git config here (i.e. without --global) means that this self-signed certificate is only trusted for this particular repository, which is nice. It's also nicer than using GIT_SSL_CAPATH since it eliminates the risk of git doing the verification via a different Certificate Authority which could potentially be compromised.

 

posted @ 2020-05-19 10:41  ChuckLu  阅读(4825)  评论(0编辑  收藏  举报