If you run into SSL issues with your appliance, you can take the following actions to resolve them.
Removing the passphrase from your key file
If you have a Linux machine with OpenSSL installed, you can remove your passphrase by:
-
Renaming your original key file:
mv yourdomain.key yourdomain.key.orig
-
Generating a new key without a passphrase:
openssl rsa -in yourdomain.key.orig -out yourdomain.key
Note that you'll be prompted for the key's passphrase when you run this command.
Converting your SSL certificate or key into PEM format
You should be able to convert your key into PEM format by using the openssl
command (if it's installed on your machine). For example, you can convert a key from DER format into PEM format as follows:
openssl rsa -in yourdomain.der -inform DER -out yourdomain.key -outform PEM
Otherwise, you can use this tool to convert your certificate into the PEM format.
After uploading my key, my install is unresponsive
GitHub Enterprise has a number of safeguards to prevent this from happening, but if you find yourself in this situation please contact support with specific details about what you've done. It would be helpful if you included a copy of your SSL certificate.
We'll do everything we can to help get your install running again as quickly as possible.
My programs are throwing certificate validity errors
Clients such as web browsers and command-line Git will throw an error if they cannot verify the validity of an SSL certificate. This often occurs with self-signed certificates as well as "chained root" certificates issued off of an intermediate root certificate that is not recognized by the client.
If you are using a certificate signed by a certificate authority (CA), the certificate file that you upload to GitHub Enterprise must include a certificate chain with that CA's root certificate. To create such a file, concatenate your entire certificate chain (or "certificate bundle") onto the end of your certificate—ensuring that the principle certificate with your hostname comes first. On most systems you can do this with a command similar to the following:
cat yourdomain.com.crt bundle-certificates.crt > yourdomain.combined.crt
You should be able to download a certificate bundle (e.g. bundle-certificates.crt
) from your certificate authority or SSL vendor.
Installing self-signed or untrusted certificate authority (CA) root certificates
If your GitHub Enterprise appliance interacts with other machines on your network that use a self-signed or untrusted certificate, you will need to import the signing CA's root certificate into the system-wide certificate store in order to access those systems over HTTPS.
- Obtain the CA's root certificate from your local certificate authority and ensure it is in PEM format
-
Copy the file to your GitHub Enterprise appliance over SSH as the "admin" user on port 122:
scp -P 122 rootCA.crt admin@hostname:/home/admin
-
Connect to the GitHub Enterprise administrative shell over SSH as the "admin" user on port 122:
ssh -p 122 admin@hostname
-
Import the certificate into the system-wide certificate store:
ghe-ssl-ca-certificate-install -c rootCA.crt