On 10/01/2011 01:09 PM, Andrew Benton wrote: > But I wasn't happy with that, if my git couldn't use https that wasn't > good enough. As mentioned earlier, the ssl certificate is verified by > curl and this is actually a problem with how curl was set up. When > installing curl, it's possible to generate a bundle of ssl certificates > with the command: > make ca-bundle > > That will download a file from the mozilla source and run a perl script > to extract the ssl certificates. If you already have a copy of the > Firefox source you can use that instead of downloading it again (useful > if you're installing offline): > cp /path/to/firefox/security/nss/lib/ckfw/builtins/certdata.txt . > perl lib/mk-ca-bundle.pl -n > mv ca-bundle.crt /etc/ssl/certs > Now all that is needed is to tell git about the ssl certificates: > git config --global http.sslcainfo /etc/ssl/certs/ca-bundle.crt > That will make the change in ~/.gitconfig > To do it for everyone in /etc/gitconfig as root: > git config --system http.sslcainfo /etc/ssl/certs/ca-bundle.crt > > Hope that helps someone avoid retracing my steps > > Andy
Andy, be sure that the perl script properly scrubs expired certificates and the test certs. Take a look at the BLFS CA bundle currently installed with OpenSSL (which also uses Mozilla as the upstream source for certificates). I just updated it about two weeks ago, so if the mk-ca-bundle.pl script included with curl is equal to the cert setup we currently have, then we could use that instead of maintaining our own two step process in BLFS as I had done (which I borrowed from Fedora, see the auxfiles/mkblfsca.sh in svn if you have it handy). -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
