Using Gitblit without CA certificate
142 views
Skip to first unread message
Klamann
Jun 11, 2014, 5:17:59 AM6/11/14
to git...@googlegroups.com
Hi there,
as the title suggests, I'd like to use gitblit without the need to create my own self-signed CA certificate.
Gitblit is the perfect solution for small teams, but using self-signed certificates makes it painful for new team members to join and some have (legitimate) concerns when it comes to disabling proper authentication mechanisms on their machines. Besides, which small workgroup would bother to request an expensive CA certificate just to get their git platform running?
So here's how I would like to use Gitblit
If not, please consider removing the strict requirement of having a CA certificate in a future version of Gitblit, it would be great to use Gitblit with a regular server certificate!
as the title suggests, I'd like to use gitblit without the need to create my own self-signed CA certificate.
Gitblit is the perfect solution for small teams, but using self-signed certificates makes it painful for new team members to join and some have (legitimate) concerns when it comes to disabling proper authentication mechanisms on their machines. Besides, which small workgroup would bother to request an expensive CA certificate just to get their git platform running?
So here's how I would like to use Gitblit
- Repository access via SSH, users can upload their own public keys - this is already implemented
- Access to the web interface via HTTPS, where the server can (re)use a regular X.509 certificate (getting one of those is easy these days)
If not, please consider removing the strict requirement of having a CA certificate in a future version of Gitblit, it would be great to use Gitblit with a regular server certificate!
James Moger
Jun 11, 2014, 8:19:49 AM6/11/14
to git...@googlegroups.com
By default Gitblit GO will create a self-signed certificate chain which allow immediate https access and client certificate generation. You are free to use a normal purchased certificate and create a new keystore - you lose x.509 client certificate generation, but that is probably a small niche of users anyway. I run a few instances with standard commercial certificates, others do too I am sure. A CA certificate is not required to serve https.
As you indicate, SSH is built-in and you can configure Gitblit to only serve that transport avoiding the http.sslVerify=false per-client or importing of Gitblit's self-generated CA certificate.
-J
--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Klamann
Jun 11, 2014, 4:17:50 PM6/11/14
to git...@googlegroups.com
Thanks for your answer! I've been experimenting with Gitblit GO only and somehow I expected the tomcat version to behave the same way, but I'm glad that's not the case.
So now I have gitblit running on tomcat, which itself is accessible through an apache proxy which handles all the SSL stuff just fine.
So now I have gitblit running on tomcat, which itself is accessible through an apache proxy which handles all the SSL stuff just fine.
Reply all
Reply to author
Forward
0 new messages