Login/Register
SSL certificate rejected trying to access GitHub over HTTPS behind firewall
Asked Answered
Solved gitsslgithubcygwinssl-certificate
C

31

407

I'm stuck behind a firewall, so I have to use HTTPS to access my GitHub repository. I'm using Cygwin 1.7.7 on Windows XP.

I've tried setting the remote to https://[email protected]/username/ExcelANT.git, but pushing prompts for a password, but it doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repository from scratch, but each time it gives me the same error:

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

Turning on GIT_CURL_VERBOSE=1 gives me

* About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 * About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

Is this a problem with my firewall, Cygwin or what?

I hadn't set the HTTP proxy in the Git configuration. However, it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force Git to use NTLM, I'm scuppered.

Corsetti answered 23/9, 2010 at 9:41 Comment(1)
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall. right now, .gitconfig file on user profile is blank.Grouch
B
63

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling SSH through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using HTTP access and that is to use the SSH service offered by GitHub on port 443 of the ssh.github.com server.

We use a tool called Corkscrew. This is available for both Cygwin (through setup from the Cygwin homepage) and Linux using your favorite packaging tool. For Mac OS X it is available from MacPorts and Homebrew (executable brew) at least.

The command line is as follows:

corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the HTTPS proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a text file with one line containing your proxy server username/password separated by a colon.

E.g.:

abc:very_secret

Installation for using "normal" ssh protocol for Git communication.

By adding this to the ~/.ssh/config this trick can be used for normal SSH connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

Now you can test it works by ssh-ing to gitproxy:

ssh github.com

Output:

PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.

(Note: if you never logged into GitHub before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the GitHub site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, e.g., to separate your private account from your professional account.

# Account dedicated for the ACME private GitHub account
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

Enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post.

Bandstand answered 23/9, 2010 at 9:50 Comment(4)
I gave up on getting this working, but had another look at it, and got it working. changing .ssh/config to >Host ssh.github.com >User oharab >Hostname ssh.github.com >Port 443 >PreferredAuthentications publickey >IdentityFile ~/.ssh/id_rsa and cloning using git clone [email protected]:oharab/log4vba.git got it up and running in no time.Corsetti
I'm only downvoting because the answer below is more helpful but unfortunately stackoverflow always puts the accepted answer top, even if it was only an answer for a single circumstance.Holey
In any case I updated the answer since I find that SSL tunneling through https proxy is still a better solution than fiddling with HTTPS certificates or disabling them and ending up with a solution which is still less performant, user friendly AND less secure. Well, plenty of upvotes prove me wrong but I stick to my opinion in this matter anyway.Bandstand
A proxy is a man in the middle. If you are sure you can trust him it should be ok but the only real solution is "to deal with firewall/proxy thingies". If security doesn't matter using SSL doesn't make any sense...Nutbrown
C
535

The problem is that you do not have any of certificate authority (CA) certificates installed on your system. And these certificates cannot be installed with Cygwin's setup.exe.

Install Net/ca-certificates package in Cygwin (thanks dirkjot)

There are two solutions:

  1. Actually install root certificates. The curl guys extracted the certificates from Mozilla for you.

cacert.pem file is what you are looking for. This file contains more than 250 CA certificates (don't know how to trust this number of people). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With Cygwin setup.exe install the curl and OpenSSL packages.

Execute:

<!-- language: lang-bash -->

    $ cd /usr/ssl/certs
    $ curl http://curl.haxx.se/ca/cacert.pem |
      awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
    $ c_rehash

Important: In order to use c_rehash you have to install openssl-perl too.

  1. Ignore SSL certificate verification.

    WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a man-in-the-middle attack. Be sure you fully understand the security issues and your threat model before using this as a solution.

    env GIT_SSL_NO_VERIFY=true git clone https://github...

Clout answered 15/12, 2010 at 20:52 Comment(23)
You don't need to install curl, just use wget: wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_a fter=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'Chastity
@Deebster, that would work if wget was installed by default, which for me it wasn't.Handtohand
I know this is cygwin, but in case anyone gets here using Centos, it's /etc/pki/tls/certs where the .pem's should go.Contemptible
Alternatively you can extract all certificates from Firefox (using a plugin), then convert them from DER to PEM format like this: for i in *.der; do openssl.exe x509 -text -inform DER -fingerprint < "$i" > /usr/ssl/certs/"${i%.der}.pem"; done Finally run c_rehash and job doneCiracirca
Didn't work for me--however, I don't have c_rehash in my path. I tried restarting my shell. I also had to mkdir -p /usr/ssl/certs. I'm wondering if my Cygwin install is different or missing something? Also, setting GIT_SSL_NO_VERIFY=true followed by running the clone operation resulted in this error: fatal: https://code.google.com/.../info/refs not found: did you run git update-server-info on the server? Maybe it will work after reboot?Ylangylang
I had to export OPENSSL=/c/OpenSSL/bin/openssl.exe to have c_rehash find openssl - it complained about not finding C:\OpenSSL when used from cygwinDarwindarwinian
@glenviewjeff cygwin has it's own openssl package with c_rehash, can be installed with cygwin's setup.exe. however problem with info/refs I think is different: try to play with url you pass to gitClout
I prefer the solution of putting [http] sslVerify = no in your global .gitconfig. See here: linux.die.net/man/1/git-configClosefisted
In my case this did not work, but this solution did, with the difference that since git was looking for the file at /usr/ssl/certs/ca-bundle.crt, that was where I put it.Sardonyx
This answer is wrong. Just install the cygwin ca-certificates package to get the missing root certificates. Why did this answer get so many ups?Sauceda
I would not add such a large bundle of root certificates but only the CA or server certificate of that specific repository. With openssl s_client --printcerts --connect server:port for example you can get a PEM dump of the cert of any SSL server.Overrate
It worked for me. Before running c_rehash, yum install openssl-perl was needed (in centos)Doubletalk
And for anyone here who is using Debian/Ubuntu, the certificates are stored in /etc/ssl/certs/Disprove
Don't turn off SSL certificate verification. This happens all too often in tools and application code throughout industry. It opens you up to a man in the middle attack. If you're going to use SSL then use it properly.Bowes
The c_rehash command keeps saying bad interpreter: permission denied for me, so I cannot apply this solution :-/Carbohydrate
In Win7... set GIT_SSL_NO_VERIFY=trueDielle
Just to elaborate on above comment...In Win7, I set an environment var... "set GIT_SSL_NO_VERIFY=true", then used the bash shell for msysgit to clone a repo.Dielle
Thank you so much, this fixed it for me. This information (the c_rehash) is not in any other posts.Rafael
the curl step from the answer didn't work for me like that - awk was complaining for the syntax error. I had to modify it a bit: curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1 {n++; split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print >> ("cert" n ".pem"); close("cert" n ".pem")}'. Using awk version 20070501 and Mac OS X 10.9.2.Begun
git uses libcurl which uses openssl (at least in the version that I built). If you build your own versions of things, it is libcurl that changes where it looks for the CA certificates. Use the --with-ca-path=DIR configuration option when you configure curl and point it to where openssl puts the certificates.Tauro
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall. right now, .gitconfig file on user profile is blank.Grouch
Solution 1 must be deleted!, set GIT_SSL_NO_VERIFY=true – Then why the purpose of SSL?Sivan
Splitting with awk can be complicated; you can also use split -p "-----BEGIN CERTIFICATE-----" [filename]Puberulent
U
450

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

One way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only: 

git config http.sslVerify false
Undesigned answered 6/1, 2012 at 8:28 Comment(24)
If you don't want to edit your global settings (e.g. all repos), exclude --globalBerniecebernier
could you please add a note about how extremely dangerous this is?Bouleversement
this is a terrible idea. there is a reason that certificates should be verified. if you don't verify the certificate as trusted then the certificate could be generated by anyone and you could be susceptible to a man in the middle attack.Sievert
Don't turn off SSL verification !Bowes
Pls do this if you have no other option. This is very dangerous if you dont know what you are doingUralic
For all "do not do it" people: Sure this is not the most secure approach at all. BUT, it is far better option that not to have SSL at all! Because some people run just their private simple git servers at it is fine for them. Sure, for any real security it is NO GO setting. The most insecure thing is sending the plain bytes thru the network.Deportment
If SSL verification wants to be enabled, then someone needs to invent a way to make it work without needing to have root certificates manually installed. Perhaps if they just came bundled with git or something, that would solve this problem.Foyer
This answer should be deleted. It's led at least 247 people to do the wrong thing.Homophone
The only hope is to down click it.Tauro
It doesn't "disable" SSL, you are still using a secure connection, but there is no verification that you are actually connected to the correct server.Octopod
The universe tends to follow the path of least resistance.Bacteriophage
For those that have a private server with a self signed certificate this will help. The guy is offering a solution.. not everyone will agree, but it may solve someones problem. That's what this site is about. StackOverflow is full of opinions - not everyone will agree with the ideas and decisions of others. Saying it should be deleted is crazy.Budget
@Budget it needs to have a clear warning about the security implications. Which it does now, since I edited it in a while back.Monolayer
@halfer Why the edit? (a) It was an editor's note, it wasn't a note from the original author and (b) there's no harm in warning people a bit harder, otherwise people tend to ignore problems (you just have to look at the number of upvotes on this answer, which recommends an insecure solution...)Wiskind
Hi @Bruno. I'd wager our editing guidelines (insofar as we have any at all) would discourage people from putting in edits labelled as being from a third party (so 'Edit from halfer', 'Editor's note', '(Ed)' etc. would all be discouraged). I'm pretty sure any 'Edit' addenda are discouraged, come to think of it - they are meant to merge in to the original post. That's been covered on MSO, iirc.Cuttler
@Cuttler Are there editing guidelines that say so? I would much prefer to say such a note being clearly marked as coming from an 3rd-party editor, to make it directly clear the initial author might not endorse it (at least out of respect for the author). As for the boldness, again, bigger warnings are not a bad thing for a security issue. It's quite a sad fact for SO that this is currently the 4th most upvoted answer on the ssl tag, yet it suggests an insecure solution :-(Wiskind
Glad to find this answer. We've got an actual CA issued cert on our server, but for some reason command-line git (on which Android Studio depends) refuses to acknowledge it now (it used to, but doesn't anymore). Visual Studio and Netbeans both recognize our cert fine, but looks like something is broken in git. I tried using Netbeans to push for Android Studio, but that was a no go. This is the only way I've been able to push my work.Wick
Pretty much what the above said. Have work that needs to be pushed, maybe google and fiddle with things for about an hour and I can't figure it out, well, work has to get done, sslverify=false and send am email to IT if they care about it or not.Miguelmiguela
Is the risk somewhat mitigated if I am behind a trusted firewall, large company-backed firewall?Cryptogenic
@PeterStegnar No, this is not "a far better option". At best it's marginally better. Anyone who can intercept and manipulate your HTTP plaintext bytes can also intercept and replace the certificate, and then read and manipulate your HTTPS ciphertext bytes after decrypting them with the impostor cert. The only thing you gain from using SSL/TLS without validating the certs is that the traffic content is hidden from passive listeners, but any active adversary will only be slightly inconvenienced.Shelah
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewallGrouch
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall. right now, .gitconfig file on user profile is blank.Grouch
There is one point though, if you have internal git server and you know you're running behind your firewalls, maybe it's not necessary to verify the certificates because it couldn't be any risk.Forehand
Git-config document git-scm.com/docs/git-config#EXAMPLES gives more examples.Undesigned
H
114

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfig to use this for peer verification:

[http]
sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

Highball answered 11/12, 2011 at 20:59 Comment(8)
For me, this is the best answer: it works on unix (NetBSD actually), it affects only git and not anything else on the system, and it doesn't require root/Administrator access. Thanks!Fly
Perfect, one can even do better. I have replaced my old /etc/ssl/certs/ca-certificates.crt on my Ubuntu 8.04 LTS with this file and it magically worked!Backbone
@Fly thanks for mentioning NetBSD as it meant I found this answer. NetBSD is a bit odd. I installed the OpenSSL package, but even that doesn't get you the certs, just a placeholder directory.Waddell
+200 More awesome, it also worked on my Ubuntu box. No need to disable certificate checking in git, just do this quick fix.Cozen
Excellent answer, you can skip hand-editing the ~/.gitconfig file with the following command: git config --global http.sslCAinfo "$HOME/certs/cacert.pem"Giblet
@Michael-O's comment is the solution for Hardy 8.04 for sure. Nice and easy in the end lol!Yeah
this solution is great, simple and effective, it works on red hatMonochromatic
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall .Grouch
B
63

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling SSH through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using HTTP access and that is to use the SSH service offered by GitHub on port 443 of the ssh.github.com server.

We use a tool called Corkscrew. This is available for both Cygwin (through setup from the Cygwin homepage) and Linux using your favorite packaging tool. For Mac OS X it is available from MacPorts and Homebrew (executable brew) at least.

The command line is as follows:

corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the HTTPS proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a text file with one line containing your proxy server username/password separated by a colon.

E.g.:

abc:very_secret

Installation for using "normal" ssh protocol for Git communication.

By adding this to the ~/.ssh/config this trick can be used for normal SSH connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

Now you can test it works by ssh-ing to gitproxy:

ssh github.com

Output:

PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.

(Note: if you never logged into GitHub before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the GitHub site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, e.g., to separate your private account from your professional account.

# Account dedicated for the ACME private GitHub account
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

Enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post.

Bandstand answered 23/9, 2010 at 9:50 Comment(4)
I gave up on getting this working, but had another look at it, and got it working. changing .ssh/config to >Host ssh.github.com >User oharab >Hostname ssh.github.com >Port 443 >PreferredAuthentications publickey >IdentityFile ~/.ssh/id_rsa and cloning using git clone [email protected]:oharab/log4vba.git got it up and running in no time.Corsetti
I'm only downvoting because the answer below is more helpful but unfortunately stackoverflow always puts the accepted answer top, even if it was only an answer for a single circumstance.Holey
In any case I updated the answer since I find that SSL tunneling through https proxy is still a better solution than fiddling with HTTPS certificates or disabling them and ending up with a solution which is still less performant, user friendly AND less secure. Well, plenty of upvotes prove me wrong but I stick to my opinion in this matter anyway.Bandstand
A proxy is a man in the middle. If you are sure you can trust him it should be ok but the only real solution is "to deal with firewall/proxy thingies". If security doesn't matter using SSL doesn't make any sense...Nutbrown
B
42

Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:

export GIT_SSL_NO_VERIFY=true

and after that, the standard install procedure for curling the RVM installer into Bash worked a treat :)

Bewley answered 18/8, 2011 at 3:11 Comment(4)
same effect as git config --global http.sslverify falseSisile
This is EXTREMELY DANGEROUS! The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS! Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it!Monolayer
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewallGrouch
@Ravi the connection will technically work, yes, but it is unequivocally not a good idea. If both your git origin and the local machine are internal and under your organization's control, it might be passable, but as per user456814's comment, disabling verification opens you up to MITM attacks.Crooked
N
41

A very simple solution: replace https:// with git://

Use git://the.repository instead of https://the.repository and will work.

I've had this problem on Windows with TortoiseGit and this solved it.

Nkvd answered 12/11, 2013 at 15:46 Comment(5)
I guess this works because it doesn't verify ssl for git://. As stated out in this answer above, disabling ssl verification is a security risk.Gusella
@Gusella the reason why this works is because it doesn't even use SSL at all. The git:// protocol uses SSH, which uses SSH public and private key pairs for authentication and encryption, instead of an SSL certificate.Monolayer
@Cupcake git:// does not use SSH. See The SSH Protocol and The Git Protocol.Octopod
@nyuszika7h oh, you're right. I keep getting git:// confused with [email protected]:user/project.git, which is SCP-ish syntax.Monolayer
thanks! this works for me, using msys2 git with tinywall firewall.Hydropic
R
33

As the most popular answer (by Alexey Vishentsev) has it:

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

However, that last assertion is false (now, or always has been, I don't know).

All you have to do is go to Cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.

Roughage answered 24/8, 2012 at 10:13 Comment(6)
cygwin git error shows CAfile: /etc/ssl/ca-bundle.crt whereas cygwin ca-certificates package installs /usr/ssl/certs/ca-bundle.crt. Therefore, had to edit ~/.gitconfig to specify the location: [http] then sslCAinfo = /usr/ssl/certs/ca-bundle.crtCuss
@maxpolk: I would have made a link but the effect is the same. This is clearly a bug in cygwin git, have you considered raising a ticket? sudo ln -s /usr/ssl/certs/ca-bundle.crt /etc/ssl/Roughage
As of today 2013-5-23, cygwin git works fine over https: if you also happen to have/remember to install cygwin's ca-certificates.Genesisgenet
I got here from this question, which indicated that an answer can be found here. However, neither the linked answer nor this answer work for me; TortoiseSVN keeps outputting error: SSL certificate problem, verify that the CA cert is OK.Carbohydrate
Where exactly do we install the cygwin installation files from the package manager? Do the ca-certificates need to be within the bin folder of Git?Josiahjosias
@user1650978: you should use the cygwin installer (named setup.exe) and install this one extra package. That is all. No need to copy files and or specify destinations.Roughage
G
19

To clone on Windows while setting SSL verify to false:

git -c http.sslVerify=false clone http://example.com/e.git

If you want to clone without borfing your global settings.

Ginnifer answered 31/10, 2016 at 17:56 Comment(0)
R
17

I know the original question lists Cygwin, but here is the solution for CentOS: 

curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Source: http://eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/

Recede answered 28/11, 2011 at 22:54 Comment(4)
This worked great for me; you should probably make a backup of the original first, though, as the OP suggests. It seems like this happens when Github renews their cert, if you are on a system that has an older one.Librettist
On CentOS 5 I fixed it by yum update openssl, which also updates the ca-bundle.Disdainful
if you are going to follow this option, then you should verify the SHA-256 hash of the file before using it. You can obtain the sha256sum for the current file by some other means than the curl you're setting up (like a browser on a different machine that's already set up securely) and then compare it against the output of sha256sum /etc/pki/tls/certs/ca-bundle.crt to be sure you got the right file.Gunshy
The link is broken: "Hmm. We’re having trouble finding that site. We can’t connect to the server at eric.lubow.org."Homeward
P
15

On CentOS 5.x, a simple yum update openssl updated the OpenSSL package which updated the system ca-bundle.crt file and fixed the problem for me.

The same may be true for other distributions.

Pallette answered 6/11, 2012 at 17:12 Comment(1)
yum! This worked for me for an old install (4.1.2) of Red Hat linux. Thanks!Quoin
D
14

If all you want to do is just to use the Cygwin Git client with github.com, there is a much simpler way without having to go through the hassle of downloading, extracting, converting, splitting certificate files. Proceed as follows (I'm assuming Windows XP with Cygwin and Firefox)

  1. In Firefox, go to the GitHub page (any)
  2. Click on the GitHub icon on the address bar to display the certificate
  3. Click through "more information" → "display certificate" → "details" and select each node in the hierarchy beginning with the uppermost one; for each of them click on "Export" and select the PEM format:
  • GTECyberTrustGlobalRoot.pem
  • DigiCertHighAssuranceEVRootCA.pem
  • DigiCertHighAssuranceEVCA-1.pem
  • github.com.pem
  1. Save the above files somewhere in your local drive, change the extension to .pem and move them to /usr/ssl/certs in your Cygwin installation (Windows: C:\cygwin\ssl\certs)
  2. (optional) Run c_reshash from Bash.

That's it.

Of course this only installs one certificate hierarchy, the one you need for GitHub. You can of course use this method with any other site without the need to install 200 certs of sites you don't (necessarily) trust.

Dicho answered 6/8, 2011 at 12:37 Comment(0)
C
9

You can try this command in the Terminal:

git config --global http.sslVerify false

Cultrate answered 3/8, 2019 at 4:45 Comment(0)
R
8

If you're on Mac OS X, you can install the ca-cert-bundle via homebrew:

brew install curl-ca-bundle
git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

The formula installs the cert bundle to your share via:

share.install 'ca-bundle.crt'

The share method is just an alias to /usr/local/share, and the curl-ca-bundle is provided by Mozilla. It's what you see being referenced in a lot of issues. Hope this helps as it's not very straightforward about how to approach this on Mac OS X. brew install curl isn't going to get you much either as it's keg only and will not be linked (running which curl will always output /usr/bin/curl, which is the default that ships with your OS). This post may also be of some value.

You'll of course need to disable SSL before you install homebrew since it's a git repo. Just do what curl says when it errors out during SSL verification and:

echo insecure >> ~/.curlrc

Once you get homebrew installed along with the curl-ca-bundle, delete .curlrc and try cloning a repo out on GitHub. Ensure that there are no errors and you'll be good to go.

NOTE: If you do resort to .curlrc, please remove it from your system the moment you're done testing. This file can cause major issues, so use it for temporary purposes and with caution. brew doctor will complain in case you forget to purge it from your system).

NOTE: If you update your version of git, you'll need to rerun this command since your system settings will be wiped out (they're stored relative to the Git binary based on version).

So after running:

brew update
brew upgrade

If you get a new version of Git, then just rerun:

git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

And you'll be all set.

Lastly if you have a new version of Git, running:

git config -l --system

should give you an error along the lines of

fatal: unable to read config file '/usr/local/Cellar/git/1.8.2.2/etc/gitconfig'

That's your tip that you need to tell gGit where the Mozilla ca-bundle is.

.curlrc may or may not be the remedy to your problem. In any case, just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not. That's what's important here. Once you get the ca-bundle, you're good to go. Just run the Git configuration command and point git to the the ca-bundle.

export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt to my .zshenv dot file since I'm using zsh. the git config option worked for most cases, but when hitting GitHub over SSL (rvm get stable for example), I still ran into certificate issues. @Maverick pointed this out in his comment, but just in case someone misses it or assumes they don't necessarily need to export this environment variable in addition to running the git config --system.... command. Thanks and hope this helps.

It looks like the curl-ca-bundle was recently removed from homebrew. There is a recommendation here.

You will want to drop some files into:

$(brew --prefix)/etc/openssl/certs

Roybn answered 27/3, 2013 at 20:17 Comment(3)
You can also try the following: export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crtFatally
Hi, I am having a similar issue (stackoverflow.com/questions/20939105/…) and the same issue appears when I try to install home-brew. What can I do in this case? Typing "git config --system http.sslcainfo /usr/local/share/ca-bundle.crt" in my console returns "error: could not lock config file /Applications/Xcode.app/Contents/Developer/usr/etc/gitconfig: No such file or directory". Thank you for your help!Greer
@Greer that's pretty strange. Seems like your system is pointing to a version of git relative to XCode. What is the output of running 'which git' from your terminal?Roybn
L
7

I've been having this same problem for Solaris Express 11. It took me a while, but I managed to find where the certificates needed to be placed. According to /etc/openssl/openssl.cnf, the path for certificates is /etc/openssl/certs. I placed the certificates generated using the previous advice from Alexey.

You can verify that things are working using OpenSSL on the command line:

openssl s_client -connect github.com:443
Leifleifer answered 27/7, 2011 at 18:49 Comment(0)
B
6

I fixed this problem using apt-cyg (a great installer similar to apt-get) to easily download the ca-certificates (including Git and many more):

apt-cyg install ca-certificates

Note: apt-cyg should be first installed. You can do this from Windows command line:

cd c:\cygwin
setup.exe -q -P wget,tar,qawk,bzip2,subversion,vim

Close Windows cmd, and open Cygwin Bash:

wget rawgit.com/transcode-open/apt-cyg/master/apt-cyg
install apt-cyg /bin
Blakeslee answered 1/6, 2013 at 6:2 Comment(1)
This didn't work for me - I still get the same error.Veron
C
5

On a Raspberry Pi I had:

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git

Output:

Cloning into 'Dropbox-Uploader'...
error: Problem with the SSL CA cert (path? access rights?) while accessing http://  github.com/andreafabrizi/Dropbox-Uploader.git/info/refs
fatal: HTTP request failed

So I did a

sudo apt-get install ca-certificates

And then

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git

worked

Clintclintock answered 15/3, 2014 at 16:7 Comment(0)
A
5

If you used a Debian-based OS, you can simply run:

apt-get install ca-certificates
Accrue answered 28/10, 2014 at 23:35 Comment(0)
D
5

Generate the access token from GitHub and save it, as it will not appear again.

git -c http.sslVerify=false clone https://<username>:<token>@github.com/repo.git

or,

git config --global http.sslVerify false
git clone https://github.com/repo.git
Divisionism answered 11/7, 2019 at 14:53 Comment(0)
P
4

Check your time.

I absolutely refused to make my Git operations insecure and after trying everything people mentioned here, it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong (either the certificate expiry date, or the local clock).

You can check this easily by typing date in a terminal. In my case (a new Raspberry Pi), the local clock was set to 1970, so a simple ntpdate -u 0.ubuntu.pool.ntp.org fixed everything. For a Raspberry Pi, I would also recommend that you put the following script in a daily cron job (say /etc/cron.daily/ntpdate):

#!/bin/sh
/usr/sbin/ntpdate -u 0.ubuntu.pool.ntp.org 1> /dev/null 2>&1
Pinball answered 11/3, 2015 at 3:44 Comment(0)
P
3

Try using a .netrc file, it will authenticate over https. Create a file call .netrc in your home directory and put this in it:

machine github.com login myusername password mypass

See this post for more info:

https://plus.google.com/u/0/104462765626035447305/posts/WbwD4zcm2fj

Persaud answered 17/4, 2012 at 23:17 Comment(2)
This is a certificate validation issue, not an authentication issue -- some operating systems (including the one the OP runs) don't have the CA issuing github's new certificate included in the stock list.Unbutton
The link is broken. Google+ was shut down in 2019.Homeward
L
3

Improve RouMao's solution by temporarily disabling Git/curl SSL verification in Windows cmd:

set GIT_SSL_NO_VERIFY=true
git config --global http.proxy http://<your-proxy>:443

The good thing about this solution is that it only takes effect in the current cmd window.

Lock answered 11/12, 2013 at 22:54 Comment(2)
This is EXTREMELY DANGEROUS! The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS! Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it!Monolayer
There isn't anyone by the name "RouMao" here. What answer does it refer to?Homeward
A
3

Try using command

git config --global http.sslverify false

This command will allow all the certificate from HTTP which are not secured, but use cautiously if using in a professional environment.

Appolonia answered 7/12, 2021 at 12:15 Comment(1)
The answer is a duplicate and has already been provided three times for the question.Okie
I
2

I encountered the same problem to configure Git on a collaborative development platform that I have to manage.

To solve it :

  • I've Updated the release of Curl installed on the server. Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl

  • Get back the certificate of the authority which delivers the certificate for the server.

  • Add this certificate to the CAcert file used by curl. On my server it is located in /etc/pki/tls/certs/ca-bundle.crt.

  • Configure git to use this certificate file by editing the .gitconfig file and set the sslcainfo path. sslcainfo= /etc/pki/tls/certs/ca-bundle.crt

  • On the client machine you must get the certificate and configure the .gitconfig file too.

I hope this will help some of you.

Inchoative answered 29/4, 2013 at 9:36 Comment(0)
G
1

I tried everything, and eventually I looked in the hosts file and there was a random entry there for GitHub. Removing the alias fixed the problem.

%systemroot%\system32\drivers\etc\hosts
Gamesmanship answered 19/7, 2016 at 8:9 Comment(0)
V
1

I simply disabled the SSL certificate authentication and used the simple user name password login as shown below:

Enter image description here

Villiform answered 16/4, 2017 at 8:54 Comment(0)
T
0

I needed the certificates just for Cygwin and Git, so I did what @esquifit posted. However, I had to run step 5 manually, c_rehash was not available on my system.

I followed this guide: Installing CA Certificates into the OpenSSL framework instead.

Tactics answered 17/10, 2011 at 10:38 Comment(0)
T
0

I needed two things:

  1. go to Cygwin setup and include the package 'ca-certificates' (it is under Net) (as indicated elsewhere).

  2. Tell Git where to find the installed certificates:

    **GIT_SSL_CAINFO=/usr/ssl/certs/ca-bundle.crt**  GIT_CURL_VERBOSE=1 git ...

(Verbose option is not needed)

Or storing the option permanently:

   **git config** --global http.sslCAinfo /usr/ssl/certs/ca-bundle.crt

   git ...
Thordis answered 18/10, 2013 at 23:10 Comment(0)
A
-2

I had the same issue.

Certificate import or command to unset SSL verification didn't work. It turns out to be an expired password for the network proxy. There was an entry of proxy configuration in the .gitconfig file present in my Windows user profile.

I just removed the whole entry, and it started working again.

Ansell answered 16/12, 2013 at 9:0 Comment(0)
A
-2

On a Mac OS X 10.5 (Leopard) system, I was able to get this to work with a simple method. First, run the GitHub procedures and the test, which worked ok for me, showing that my certificate was actually ok.

Connecting to GitHub with SSH

ssh -T [email protected]

Then I finally noticed yet another URL format for remotes. I tried the others, above and they didn't work.

2.5 Git Basics - Working with Remotes

[email protected]:MyGithubUsername/MyRepoName.git

A simple "git push myRemoteName" worked great!

Anatola answered 2/2, 2014 at 22:32 Comment(0)
M
-2

I recently (Jul 2014) had a similar issue and found on OS X (v10.9.4 (Mavericks)) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).

  1. Open Keychain Access
  2. search Certificates for "DigiCert"
  3. View menu → Show Expired Certificates

I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.

Marmoset answered 28/7, 2014 at 17:11 Comment(0)
E
-3

For those using MSYS/MinGW Git, add this:

export GIT_SSL_CAINFO=/mingw32/ssl/certs/ca-bundle.crt
Electrometer answered 22/9, 2014 at 18:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.