Ubuntu – How to install certificates for command line

certificatescommand linehttps

So in school we need to install a certificate to access https sites. In firefox, I can import the certificate. However, I can't do so with the command line. For example, running git push I get:

fatal: unable to access 'https://github.com/user/repo': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

How do I import a certificate to remove this? The import must be able to authenticate for me. Also, it is a .cer file, so the answer for .crt will not work. Also, I do not want steps on how to setup git, as I already have. I want to know if it is possible to do that. Or can I just disable authentication with the git command totally and make it ignore certificates like what the answer here says? Also, I do not want the webpage to load, I have set firefox to do that. I want the git push command to give the standard output like:

[master 630d087] message
 1 file changed, 93 insertions(+), 80 deletions(-)
 rewrite somefile (84%)
Counting objects: 9, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 978 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
To https://github.com/User/Repo.git
   851ae39..630d087  master -> master

Note: I found out its git config --global http.sslverify false. But I would like to see an answer for everything, not just a git hack

Best Answer

TL;DR

For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

  • Go to /usr/local/share/ca-certificates/
  • Create a new folder, i.e. "sudo mkdir school"
  • Copy the .crt file into the school folder
  • Make sure the permissions are OK (755 for the folder, 644 for the file)
  • Run "sudo update-ca-certificates"

Why

Let me explain what is going on also, so the other posters see why they don't need any certificate to use Github over HTTPS.

What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.

To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that he is not being able to verify github's certificate. Your school proxy is taking out github's cert and instead providing its own cert.

When your browser tries to verify the school's provided cert against the CA that signed github's cert, it rightfully fails.

So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school's CA certificate as a trusted one.

When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.

Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.

Related Question