Ssl – Git: server certificate verification failed using Bitbucket Server

bitbucketcertificategitssltomcat

I have a Bitbucket server running onprem with a certificate.
I added it to the keystore ussing the follwing commands

openssl pkcs12 -export -in myurl.com.cer -inkey myurl.com.key -out myurl.com.p12
keytool -importkeystore -srckeystore myurl.com.p12 -srcstoretype PKCS12 -destkeystore bitbucket.jks -deststoretype JKS

It looks like this if i view the server in Chrome (which looks good):

When i try clone a Repository from the Server i get the Following Error

root@BS01:~# git clone https://source.server.com/scm/p/project.git
Cloning into 'project'...

fatal: unable to access 'https://source.server.com/scm/p/project.git':
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

On windows the error looks a bit different:

fatal: unable to access 'https://source.server.com/scm/p/project.git/': SSL certificate problem: unable to get local issuer certificate

When i Google for this error a lot of soltions suggest that i have to use a CA Certificate istead of a selfsigned one (Maybe I got the concept wrong but i thought the Certificate is a CA Certificate) or disable sslVerificaction entirely (which is not acceptable)
What problem does git have with the certificate and how to fix that?

Best Answer

Acually the certificate is only fine on my Computer, Mobile Devices did not trust it aswell - if I concatenate the whole trust chain into one .pem file looking like this:

-----BEGIN RSA PRIVATE KEY----- 
KEY FROM domain.key
-----END RSA PRIVATE KEY----- 
-----BEGIN CERTIFICATE----- 
domain.crt
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
Intermediate.crt
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
Root.crt
-----END CERTIFICATE-----

And add this one to the jks it works as expected.

openssl pkcs12 -export -in server.pem \
    -out server.p12 -name  tomcat
keytool -importkeystore -srckeystore server.p12 \
    -srcstoretype pkcs12 -destkeystore bitbucket.jks -deststoretype JKS

Related Solutions

Ftp – How to avoid lftp Certificate verification error

From the manpage:

-c commands
Execute the given commands and exit. Commands can be separated with a semicolon (;), AND (&&) or OR (||). Remember to quote the commands argument properly in the shell. This option must be used alone without other arguments.

So you want to specify the commands as a single argument, separated by semicolons:

lftp ftp://$(FTP_USER)@$(FTP_HOST) -e "set ftp:ssl-allow no; mirror -R $(OUTPUTDIR) $(FTP_TARGET_DIR) ; quit"

You can actually omit the quit command and use -c instead of -e.

Tomcat – Installing SSL Thawte Certificates for tomcat from pre-generated Private Key

Some applications (I can't remember if Tomcat is one of them) like to have the certificate chain as part of the same keystore entry as your server certificate, rather than as seperate items.

To do this, first remove the two CA certs from the keystore:

keytool -delete -alias Primary -keystore keystore.key
keytool -delete -alias Secondary -keystore keystore.key

Next, create a PKCS#7 file containing your cert with its CA chain:

openssl crl2pkcs7 -nocrl -certfile domain.crt -certfile Secondary.crt \
  -certfile Primary.crt -out domain.p7b

Then import this into your existing keystore (this will overwrite the certificate, but keep the existing private key):

keytool -importcert -alias domain -file domain.p7b -keystore keystore.key

Make sure the alias you specify matches the alias of the cert/key already in the keystore.

Now, a keystore listing (keytool -list -keystore keystore.key) should show the certificate, with its CA chain, as a single keystore entry.

Best Answer

Related Solutions

Ftp – How to avoid lftp Certificate verification error

Tomcat – Installing SSL Thawte Certificates for tomcat from pre-generated Private Key

Related Topic