I have noticed that on the Beaglbone Black that I am constantly having problems with git and curl when it comes to https sites. This post addresses the configuration problems and shows you different ways to solve the problem that may suit your particular needs.
Fixing the SSL problems with Git
Out of the box, if you try to commit to a github repository using https (a requirement of github) then you will have difficulties with certificates. The error you will get looks like this (I’m using -v for verbose mode):
|
1 2 3 |
root@beaglebone:~# git clone https://github.com/derekmolloy/boneCV.git -v Cloning into 'boneCV'... fatal: unable to access 'https://github.com/derekmolloy/boneCV.git/': Problem with the SSL CA cert (path? access rights?) |
Under older versions of git, the problem may also appear as:
|
1 2 3 4 |
root@beaglebone:~/boneDeviceTree# git push https://github.com/derekmolloy/boneCV.git error: while accessing https://github.com/derekmolloy/boneDeviceTree.git/info/refs fatal: HTTP request failed |
You could of course fix this by using git://github.com/derekmolloy/boneCV.git as the repository address; however, this does not fix the problem when you try to commit to the repository. In fact, the same error will arise.
Solution 1 – The super-easy but bad solution!
Simply use the git global preferences to turn off SSL verification:
|
1 2 3 4 5 6 7 8 9 |
root@beaglebone:~# git config --global http.sslVerify false root@beaglebone:~# git clone https://github.com/derekmolloy/boneCV.git -v Cloning into 'boneCV'... POST git-upload-pack (190 bytes) remote: Counting objects: 31, done. remote: Compressing objects: 100% (23/23), done. remote: Total 31 (delta 15), reused 18 (delta 7) Unpacking objects: 100% (31/31), done. root@beaglebone:~# |
A git push will work with this solution:
|
1 2 3 4 5 6 7 8 9 |
root@beaglebone:~/boneCV# git push https://derekmolloy@github.com/derekmolloy/boneCV.git Password for 'https://derekmolloy@github.com': Counting objects: 5, done. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 308 bytes | 0 bytes/s, done. Total 3 (delta 2), reused 0 (delta 0) To https://derekmolloy@github.com/derekmolloy/boneCV.git 6d24b8a..89bcc1c master -> master root@beaglebone:~/boneCV# |
The downside? Well what is the point in using https if you have turned off SSL verification… This solution is not recommended as it leaves you vulnerable to man-in-the-middle attacks.
Solution 2 – The definitely-better Solution!
For the test below, I reset SSL verification to be on, so:
|
1 |
root@beaglebone:~# git config --global http.sslVerify true |
Make sure that your ca-certificates (certification authority certificates! wow!) package is up to date:
|
1 |
root@beaglebone:~#opkg install ca-certificates |
Now edit your .gitcofig, which is a hidden file in your home directory (works for all user accounts including root) – If it doesn’t exist on your account, create it:
|
1 2 3 4 |
root@beaglebone:~# cd ~/ root@beaglebone:~# ls .git* -l -rw-r--r-- 1 root root 82 Jun 5 11:58 .gitconfig root@beaglebone:~# vi .gitconfig |
Change your .gitconfig settings for [http] to be like mine:
|
1 2 3 4 5 6 |
[http] sslVerify = true sslCAinfo = /etc/ssl/certs/ca-certificates.crt [user] email = derek@derekmolloy.ie name = derekmolloy |
Where sslCAinfo is the important field to set. Replace the [user] details with your own details.
Now, cloning a repository…
|
1 2 3 4 5 6 7 |
root@beaglebone:~# git clone https://github.com/derekmolloy/boneCV.git Cloning into 'boneCV'... remote: Counting objects: 34, done. remote: Compressing objects: 100% (25/25), done. remote: Total 34 (delta 17), reused 21 (delta 8) Unpacking objects: 100% (34/34), done. root@beaglebone:~# |
And pushing to the repository is working fine too.
|
1 2 3 4 5 6 7 8 9 10 |
root@beaglebone:~/boneCV# git push Username for 'https://github.com': derekmolloy Password for 'https://derekmolloy@github.com': Counting objects: 5, done. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 301 bytes | 0 bytes/s, done. Total 3 (delta 2), reused 0 (delta 0) To https://github.com/derekmolloy/boneCV.git 89bcc1c..7d1a5c6 master -> master root@beaglebone:~/boneCV# |
Everything is working.
Fixing SSL Problems with Curl
Similar problems arise with curl – For example:
|
1 2 3 4 |
root@beaglebone:~/temp# curl https://raw.github.com/derekmolloy/boneCV/master/boneCV.cpp > test.cpp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (77) Problem with the SSL CA cert (path? access rights?) |
Again there are multiple solutions:
Solution 1 – Turn off certificates
The first is to simply turn off certificates using the curl -k option, so:
|
1 2 3 4 |
root@beaglebone:~/temp# curl -k https://raw.github.com/derekmolloy/boneCV/master/boneCV.cpp > test.cpp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 991 100 991 0 0 2921 0 --:--:-- --:--:-- --:--:-- 3753 |
Again, this is not a good solution as it leaves you vulnerable to man-in-the-middle attacks.
Solution 2 – Better – Fix the certificates problem at the Command Line
Again (in case you didn’t address git above), check that your ca-certificates package is up to date. You can then specify at the command line the cacert file using “–cacert /etc/ssl/certs/ca-certificates.crt“. It’s a bit verbose to do every time.
|
1 2 3 4 |
root@beaglebone:~/temp# curl --cacert /etc/ssl/certs/ca-certificates.crt https://raw.github.com/derekmolloy/boneCV/master/boneCV.cpp > test.cpp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 991 100 991 0 0 720 0 0:00:01 0:00:01 --:--:-- 769 |
Solution 3 – Best – Fix it using an environment variable
Effectively we can set the certs bundle in Solution 2 using an environment variable, which allows us to set this value on boot. So,
|
1 2 3 4 5 6 7 8 9 10 |
root@beaglebone:~/temp# export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt root@beaglebone:~/temp# echo $CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt root@beaglebone:~/temp# cat $CURL_CA_BUNDLE -----BEGIN CERTIFICATE----- MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv ... d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 4GGSt/M3mMS+lqO3ig== -----END CERTIFICATE----- |
Once you have set this environment variable, you can just use curl with no flags:
|
1 2 3 4 |
root@beaglebone:~/temp# curl https://raw.github.com/derekmolloy/boneCV/master/boneCV.cpp > test1.cpp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 991 100 991 0 0 728 0 0:00:01 0:00:01 --:--:-- 774 |
All is in order now for both git and curl.
Finally we want to set this so that the environment variable is set on boot for the current user (root) – First we need to determine which shell we are currently using. For this we can do two things:
|
1 2 3 4 5 |
root@beaglebone:~# ps -p $$ PID TTY TIME CMD 620 pts/0 00:00:00 sh root@beaglebone:~# echo $SHELL /bin/sh |
So, clearly we are using sh, which means that we use a .profile file in our home directory; so, we could do a vi .profile and add the following text (to anything that is already there):
|
1 |
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt |
Then, just to check on reboot:
|
1 2 3 4 |
root@beaglebone:~# reboot ... root@beaglebone:~# echo $CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt |
Finally, if you wish to generate new CA-certificates then you should have a look at the guides at: http://curl.haxx.se/docs/sslcerts.html
Great site you’ve got here.. It’s hard to find high-quality writing
like yours nowadays. I truly appreciate people
like you! Take care!!
Hi –
Just one thing to remember with the CA errors on curl – it’s worth pointing out that you will get crypto errors if your clock is out. So make sure you set the time on your system before you spend hours trying to figure out why curl doesn’t trust any of your CA’s…like I did 🙂
Mark.
Thanks, very useful. In my case I just had to install the missing ca-certificates package and it worked.
Hi,
Thank you for all the tutorials, I still have an issue when I try to clone a repository from the bbb (on my host it works fine) : I would really appreciate your help.
This is what I get:
root@beaglebone:~# git clone http://github.com/derekmolloy/boneDeviceTree
error: Couldn’t resolve host ‘github.com’ while accessing http://github.com/derekmolloy/boneDeviceTree/info/refs
fatal: HTTP request failed
and for git:
root@beaglebone:~# git clone git://github.com/derekmolloy/boneDeviceTree
Cloning into boneDeviceTree…
fatal: Unable to look up github.com (port 9418) (Name or service not known)
Thanks
Hi Gabriel,
Have a look at the post on setting the nameservers under my post on “setting a static IP on the BeagleBone”
http://derekmolloy.ie/set-ip-address-to-be-static-on-the-beaglebone-black/
Derek.
Hi,
Your blog and video is great.
I use it a lot to get started on using the beaglebone black for my final year project.
Recently, i am trying to get dropbox to work in the beaglebone using a shell script from https://github.com/andreafabrizi/Dropbox-Uploader. It works perfectly fine when i tried it on ubuntu but for some reason i cannot get it to work in the beaglebone which is using angstrom.
I suspect it maybe due to the Git and Curl problem you mention here but not sure how to go about correcting it. Was wondering if you can provide some advice.
Thanks a lot
about Dropbox-Uploader, quick fix use
./dropbox_uploader.sh -k
Thanks, very usefull.
CentOs6. git 1.7.1
Great article, as always, but all of the SSL certificates for BBB referenced here just expired on 4/21/14. opkg update ca-certificates (or opkg list) shows only ca-certificates from 20130119-r0. They are only good for 1 year.
Joel, which certificates are you looking at? I just checked all of the certificates in the ca-certificates package, and the only expired one I see is spi-inc.org/spi-ca-2003.crt.
Or I’m just an idiot. You choose. 🙂
Thanks!
Thanks Derek for the post helps newbies like me a lot cheers!
prakashsinhab@PRAKASHSINHA /C/Users/prakashsinhab/Desktop/12810/EMS (master)
$ git push origin master
fatal: unable to access ‘https://github.com/prakashsinhab/EMS.git/’: SSL cer
cate problem: unable to get local issuer certificate
prakashsinhab@PRAKASHSINHA /C/Users/prakashsinhab/Desktop/12810/EMS (master)
$ GIT_SSL_NO_VERIFY=true git push origin master
Username for ‘https://github.com’: prakashsinhab@cybage.com
Thanks so much. I was missing ca-certificates on my Ubuntu install and installing it via “apt-get install ca-certificates” solved my GIT issues. Cheers
Was working on an Android port of git that supports https, and searching everywhere for a solution to the “cannot verify issuer cert” error. This is the only site I found that a) didn’t just recommend turning off verification and b) provided a solution that worked.
Many, many thanks.
Great site. All the problems I run into seem to be documented here with solutions. Your work is much appreciated.
Thank you very much. In my case, certificates were up to date, but there was no .gitconfig file.
I’d could not find the answer in Git web.
Added to bookmarks, and I’m interested on see your book in December!
You are the god of BeagleBone Derek. I have enjoyed and used a lot of your tutorials, tips & tricks and guides from your site. Keep the good work!! Are you planning to write a book ? That will be awesome
Thanks Moises — high praise! Yes, I wrote a book and it is now available — see: http://www.exploringbeaglebone.com
HI, I have a problem that you have considered here, however I have tried all solutions, and it does not help me.
git clone https://github.com/derekmolloy/boneCV.git
Cloning into ‘boneCV’…
error: Couldn’t resolve host ‘github.com’ while accessing https://github.com/derekmolloy/boneCV.git/info/refs
fatal: HTTP request failed
So I have this mistake, and do not know what to do. May be you have some solutions?
Kind regards, Aigerim
This worked exactly for getting ssl verification to work, and git cloning to my beaglebone. Thanks for all you’ve put online!
as a novice user i am trying to set up my beaglebone black using your text book. I am new to Linux and all this stuff.
I am having issues setting up GIT as in once i run the root@beaglebone:~# vi .gitconfig command and get into VIM i am not able to edit the user details and i have accidentally lost sslCA info.
my question is what command i need to edit this one i get in and how do i save it so i can return to the root user. is there anyway that i can ensure that the errors i have made are not saved somewhere when i get it done?
secondly in the next section do i have to use your username when setting up the cloning repository or my own. sorry if my questions sound silly but i am only a hobbyist.
Thanks for the tips.
Really help me save the night!
Thank you, Solution 1 worked for me