egit with self signed certificate, https

Question

I would like to use a git repo that is accessigble through https, Https server has self signed certificate. I always get an error while trying to clone the repo with eclipse+egit:

https://host/path: cannot open git-upload-pack sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is it possible to bypass this problem? I used export GIT_SSL_NO_VERIFY=1 command to skip ssl verification with the console client. This trick doesn't work with eclipse.

Thanks,

Hubi

score 9 · Accepted Answer · answered Apr 21 '12 at 05:47

9

You can also just set eGit to ignore server verification. In Eclipse go to Window -> Preferences.

From there go to Team -> Git -> Configuration

Click "New Entry"

Key: http.sslVerify Value: false

Click "OK"

For a more detailed approach to this check out my blog post here: http://www.pur-logic.com/2012/04/21/egit-self-signed-certificate/

answered Apr 21 '12 at 05:47

ossys

4,157
5
32
35

Is this the same problem if IP address is used instead of hostname ? – Chris May 23 '13 at 18:10
6

As stated in numerous answers related to the topic "self-signed certificates and git" using `http.sslVerify:false` is a **terrible practice from security PoV** and should be an absolute last resort, especially that there are other options. This answer solves the issue and opens up for others, normally considered much more severe. But hey, hackers gotta eat too, right? :) The root problem here is that the self-signed certificate is not trusted by the java used by egit/eclipse. And the solution is simply to enroll it in cacert. – shturec Feb 09 '16 at 15:26

score 9 · Answer 2 · answered Nov 14 '11 at 19:57

9

You have to import that certificate into your keystore (either the default keystore cacerts in your JDK directory or you specify one with the parameter -Djavax.net.ssl.trustStore).

answered Nov 14 '11 at 19:57

dunni

43,386
10
104
99

1

Unlike the answer selected by the author this one doesn't open security vulnerabilities and should be the preferred one as it is a solution for the exact problem here - the java used by egit doesn't recognize the certificate as trusted. – shturec Feb 09 '16 at 15:33

koppor · Answer 3 · 2018-03-26T06:11:37.097

2

The FAQ of CAcert provides the commandline for keytool:

keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass1 -file root.crt

Possibly, you have to omit -trustcacerts to import a normal certificate.
-alias might also be unnecessary

edited Mar 26 '18 at 06:11

answered Jan 11 '12 at 19:29

koppor

19,079
15
119
161

score 1 · Answer 4 · answered Mar 28 '17 at 02:47

1

We should use http.sslCAInfo option for this use-case.
However, eclipse JGit development status for this option has been stuck for a very long time.

FYI

answered Mar 28 '17 at 02:47

hiropon

1,675
2
18
41

score 0 · Answer 5 · answered Nov 28 '12 at 23:35

0

I had some trouble with this too, but with a different story. The hostname for the Git repo didn't match the cert's hostname. Solution was to change the cert to match the hostname.

answered Nov 28 '12 at 23:35

siebz0r

18,867
14
64
107

Can you explain how you did this? I think this is also my problem – Brian Jun 17 '15 at 20:01

egit with self signed certificate, https

5 Answers5