When using Git over HTTPS, you may encounter a "server certificate verification failed" error. This occurs when your system does not trust the certificate authority (CA) that issued the server’s SSL/TLS certificate. In this tutorial, we will explore the causes of this issue and provide step-by-step solutions to resolve it.
Understanding Server Certificate Verification
Server certificate verification is a crucial security feature that ensures the identity of the server you are connecting to. When you connect to a Git server over HTTPS, your system checks the server’s SSL/TLS certificate to verify its authenticity. If the certificate is not trusted, the connection will fail.
Causes of Server Certificate Verification Failures
There are several reasons why server certificate verification may fail:
- Unknown or untrusted certificate authority: The CA that issued the server’s certificate may not be recognized by your system.
- Self-signed certificate: The server may be using a self-signed certificate, which is not trusted by default.
- Certificate expiration or revocation: The server’s certificate may have expired or been revoked.
- System clock issues: An incorrect system clock can cause certificate verification to fail due to timestamp mismatches.
Solutions
To resolve the "server certificate verification failed" error, you can try the following solutions:
1. Check the Server Certificate
Use OpenSSL to check the server’s SSL/TLS certificate:
echo -n | openssl s_client -showcerts -connect yourserver.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Replace yourserver.com with your Git server’s domain name.
2. Add the Certificate to Your Trust Store
If the certificate is not trusted, you can add it to your system’s trust store:
- Save the certificate to a file (e.g.,
certificate.pem). - Copy the file to the
/usr/local/share/ca-certificates/directory. - Run
sudo update-ca-certificatesto update the trust store.
3. Disable SSL Verification (Not Recommended)
You can disable SSL verification for Git by setting the following environment variable:
export GIT_SSL_NO_VERIFY=1
Alternatively, you can configure Git to disable SSL verification globally:
git config --global http.sslverify false
Note: Disabling SSL verification has major security implications and should only be used as a temporary workaround.
4. Update Your System’s CA Certificates
If your system’s CA certificates are outdated, you can update them using the following command:
sudo apt-get install --reinstall ca-certificates
5. Check Your System Clock
Verify that your system clock is accurate by running:
date -R
If your clock is incorrect, consider installing NTP to synchronize with a trusted timeserver:
apt-get install ntp
By following these steps, you should be able to resolve the "server certificate verification failed" error and establish a secure connection to your Git server over HTTPS.