configure Git to accept a particular self-signed server certificate for a particular https remote

The sysadmin for a project I'm on has decided that SSH is "too much trouble"; instead, he has set up Git to be accessible via an https:// URL (and username/password authentication). The server for this URL presents a self-signed certificate, so he advised everyone to turn off certificate validation. This does not strike me as a good setup, security-wise.

Is it possible to tell Git that for remote X (or better, any remote in any repository that happens to begin with https://$SERVERNAME/) it is to accept a particular certificate, and only that certificate? Basically reduplicate SSH's server-key behavior.

Solution

Briefly:

Get the self signed certificate
Put it into some (e.g. ~/git-certs/cert.pem) file
Set git to trust this certificate using http.sslCAInfo parameter

In more details:

Get self signed certificate of remote server

Assuming, the server URL is repos.sample.com and you want to access it over port 443.

There are multiple options, how to get it.

Get certificate using openssl

$ openssl s_client -connect repos.sample.com:443

Catch the output into a file cert.pem and delete all but part between (and including) -BEGIN CERTIFICATE- and -END CERTIFICATE-

Content of resulting file ~/git-certs/cert.pem may look like this:

Get certificate using your web browser

I use Redmine with Git repositories and I access the same URL for web UI and for git command line access. This way, I had to add exception for that domain into my web browser.

Using Firefox, I went to Options -> Advanced -> Certificates -> View Certificates -> Servers, found there the self-signed host, selected it and using Export button I got exactly the same file, as created using openssl.

Note: I was a bit surprised, there is no name of the authority visibly mentioned. This is fine.

Having the trusted certificate in dedicated file

Previous steps shall result in having the certificate in some file. It does not matter, what file it is as long as it is visible to your git when accessing that domain. I used ~/git-certs/cert.pem

Note: If you need more trusted self-signed certificates, put them into the same file:

-----BEGIN CERTIFICATE-----
MIIDnzCCAocCBE/xnXAwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkRFMRUw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AnOtHeRtRuStEdCeRtIfIcAtEgOeShErExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw
...........
/27/jIdVQIKvHok2P/u9tvTUQA==
-----END CERTIFICATE-----

This should work (but I tested it only with single certificate).

Configure git to trust this certificate

$ git config --global http.sslCAInfo /home/javl/git-certs/cert.pem

You may also try to do that system wide, using --system instead of --global.

Test it. You should now be able to communicate with your server without resorting to:

$ git config --global http.sslVerify false # NO NEED TO USE THIS

If you already set your git to ignore ssl certificates, unset that:

$ git config --global --unset http.sslVerify

You may also check that you did it all correctly, without spelling errors:

$ git config --global --list

That should list all variables, you have set globally.

If you wish the certificate file to only be used for a specific server URL, you can edit the ~/.gitconfig file and move the sslaCAInfo parameter from the generic [http] section to a URL-matching section [http "https://your.server.here/"].