Hazard's stuff

24 Apr, 2017

Script to automate addition of self-signed SSL certificate to Git

— Posted by hazard @ 17-04-24 10:06
Out of the box, Git doesn't recognize self-signed SSL https repository certificates typically used in internal networks and refuses to connect: "Peer's certificate issuer has been marked as not trusted by the user". A common method is to disable certificate check altogether, which opens up possibility of MITM. A more safe solution is to add SSL certificate of your internal repository to Git's config, so that it gets checked and recognized. This reduces your vulnerability window to the initial certificate download. I made a small shell script to automate the job: it downloads the SSL certificate and adds it to Git. Credit goes to ThorSummoner for the trick to fetch the cert using OpenSSL client.
if [ ! "$1" ] ; then
    echo "Pass repository domain name as parameter (e.g. $0 git.local)"
mkdir ~/.gitcert 2>/dev/null
true | openssl s_client -connect $1:443 2>/dev/null | 
       openssl x509 -in /dev/stdin > ~/.gitcert/$1.crt
git config --global http."https://$1".sslCAInfo ~/.gitcert/$1.crt


Hazard's stuff is maintained by Vladimir Ivashchenko <hazard -at- hazardous-area.org>
This blog is powered by pLog