Wednesday, February 10, 2016

Fixing the SSL problems with Git or curl in raspberry PI

I have noticed that on the pi it is possible to have constant problems with git and curl when it comes to https sites. This post addresses the configuration problems and shows you different ways to solve the problem that may suit your particular needs.

Fixing the SSL problems with Git

Out of the box, if you try to commit to a github repository using https (a requirement of github) then you will have difficulties with certificates. The error you will get looks like this (I’m using -v for verbose mode):

Solution 1 – The super-easy but bad solution!
Simply use the git global preferences to turn off SSL  verification:
A git push will work with this solution:
The downside? Well what is the point in using https if you have turned off SSL verification… This solution is not recommended as it leaves you vulnerable to man-in-the-middle attacks.
Solution 2 – The definitely-better Solution!
For the test below, I reset SSL verification to be on, so:
Make sure that your ca-certificates (certification authority certificates! wow!) package is up to date:
Now edit your .gitcofig, which is a hidden file in your home directory (works for all user accounts including root) – If it doesn’t exist on your account, create it:
Change your .gitconfig settings for [http] to be like mine:
Where sslCAinfo is the important field to set. Replace the [user] details with your own details.
Now, cloning a repository…
And pushing to the repository is working fine too.
Everything is working.

Fixing SSL Problems with Curl

Similar problems arise with curl – For example:
Again there are multiple solutions:
Solution 1 – Turn off certificates
The first is to simply turn off certificates using the curl -k option, so:
Again, this is not a good solution as it leaves you vulnerable to man-in-the-middle attacks.
Solution 1b – Turn off certificates to make it compatible with third party script like
rpi-source or rpi-update which auto update the script so you can't add -k option in front of all calls to curl
To make it persistent when curl to keep third party script happy is to intercepts curl calls using a shell script
1
2
3
4
5
6
7
cp /usr/bin/curl /usr/bin/curl.bin cd /usr/bin/ sudo vi curl #!/bin/sh /usr/bin/curl.bin –k $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 :w! chmod +x /usr/bin/curl

 Solution 2 – Better – Fix the certificates problem at the Command Line
Again (in case you didn’t address git above), check that your ca-certificates package is up to date. You can then specify at the command line the cacert file using “–cacert /etc/ssl/certs/ca-certificates.crt“. It’s a bit verbose to do every time.
 Solution 3 – Best – Fix it using an environment variable
Effectively we can set the certs bundle in Solution 2 using an environment variable, which allows us to set this value on boot. So,
Once you have set this environment variable, you can just use curl with no flags:
All is in order now for both git and curl.
Finally we want to set this so that the environment variable is set on boot for the current user (root) – First we need to determine which shell we are currently using. For this we can do two things:
So, clearly we are using sh, which means that we use a .profile file in our home directory; so, we could do a vi .profile and add the following text (to anything that is already there):
Then, just to check on reboot:
Finally, if you wish to generate new CA-certificates then you should have a look at the guides at: http://curl.haxx.se/docs/sslcerts.html