How do I configure Git to trust certificates from the Windows Certificate Store?

About

Asked 21/5, 2013 at 11:7 Answered 11/1, 2018 at 17:26

Solved windows git ssl-certificate certificate-store

122

Currently I have the following entry in my .gitconfig in my user directory.

...
[http]
    sslCAInfo=C:\\Users\\julian.lettner\\.ssh\\git-test.pem
...

This sets the certificate to use when interacting with the git server (required by my company's git server).

But now I cannot clone other repositories (for example a public repository on GitHub), because the client always uses the configured certificate which gets rejected by other servers.

How can I circumvent this certification issue? Can I configure Git to use the Windows Certificate Store to authenticate?

Nuclease answered 21/5, 2013 at 11:7 Comment(4)

Related: How can I make git accept a self signed certificate? – Byrnes 11/1, 2018 at 19:8

Related: #17106455 – Uria 19/1, 2021 at 14:34

Your certificate doesn't get rejected by other servers. The issue is that the client (git) cannot verify the server's certificate. – Rudiment 4/3, 2021 at 11:35

Related question to this on Azure DevOps. – Lythraceous 1/2, 2022 at 10:51

368

Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer. This means that it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism.

From the Git for Windows 2.14 release notes:

It is now possible to switch between Secure Channel and OpenSSL for Git's HTTPS transport by setting the http.sslBackend config variable to "openssl" or "schannel"; This is now also the method used by the installer (rather than copying libcurl-4.dll files around).

You can choose the new SChannel mechanism during the installation of Git for Windows 2.14. You can also update an existing installation to use SChannel by running:

git config --global http.sslBackend schannel

Once you have configured this, Git will use the Windows certificate store and should not require (and, in fact, should ignore) the http.sslCAInfo configuration setting.

Smuts answered 11/1, 2018 at 17:26 Comment(17)

Seems like this should be the right way. However, I got this error: fatal: unable to access '...': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. But this may be a problem with the certificate itself. – Abb 11/3, 2018 at 19:54

The latest version of git 2.17.1.2 comes bundled with libcurl and this will still read http.sslCAInfo and if it's contains errors it will still throw an ssl verification issue. please see developercommunity.visualstudio.com/content/problem/267483/… for more detail. – Quintero 19/6, 2018 at 13:12

github.com/git-for-windows/git/releases/tag/v2.14.4.windows.2 and github.com/git-for-windows/git/commit/… can be of interest. – Knowing 21/6, 2018 at 19:55

Worked. had to run this with administrator privileges – Pearl 18/7, 2018 at 7:41

@Abb Open the certificate and find "CRL Distribution Point". See whether you can open the URL in browser. Git wants to access that URL to verify revocation status. – Mcnamee 24/10, 2018 at 20:49

It's interesting that the new feature isn't mentioned in official documentation... – Mcnamee 25/10, 2018 at 17:52

@FranklinYu Git for Windows is a fork of git - the documentation you're pointing to is not the official documentation for Git for WIndows; you're pointing to the git documentation itself. You might find this mentioned in the official documentation for Git for Windows at gitforwindows.org (but it's possible that it is indeed missing from the official documentation). I regret that this is confusing. – Smuts 25/10, 2018 at 18:28

@Bluehorn, there is another SO answer for that: https://mcmap.net/q/182471/-git-the-revocation-function-was-unable-to-check-revocation-for-the-certificate... Specifically says to git config --global http.schannelCheckRevoke false and that its not particularly any less secure (with reasoning for that statement) – Myxoma 4/1, 2019 at 20:13

@Myxoma That may well be but the CRL Distribution Point is reachable and works fine everywhere else (as long as I am on the VPN). But I will try this the next time I have to deal with Windows. – Abb 17/1, 2019 at 11:46

Does anybody know if there's a way to extend this configuration to the curl that comes with git for windows? I'd like it to extend trust based on the system CA store. – Blakley 3/6, 2019 at 1:43

That did it for me... even though i got a message that my remote doesn't accept password authentication but only SSH... – Nebulosity 12/12, 2019 at 5:31

Any way to do this during silent install? – Arty 11/12, 2020 at 12:17

Worked like a charm for me w/o any issues except that I had to remove all other http.ssl* options pertaining to certificates. – Antisthenes 11/1, 2021 at 8:17

worked for me. But I had to run this command in Visual Studio command prompt for Visual Studio projects. – Frohman 22/11, 2021 at 12:0

Anybody could you please resolve this issue on Azure Devops build agent as asked in this question? – Lythraceous 1/2, 2022 at 10:50

@Myxoma Note that the linked answer suggesting to set http.schannelCheckRevoke=false assumes this to be no less secure because the corporate proxy is assumed to check the certificate. But in my setting there is no proxy, so this actually disabled certificate revocation. And our CRL distribution point is of course indeed reachable from the system in question. My point:http.schannelCheckRevoke=false is less secure unless using a proxy. – Abb 17/3, 2022 at 11:8

Worked for me once I also removed http.schannelcheckrevoke=true from my git config --global settings – Bursary 31/8, 2023 at 14:47

Use:

git config  --local ...

To specify per-repository settings. Local settings are stored in the .git directory.

An overview of the three locations where git can store settings:

--local: Repository specific, <repo_dir>/.git/config
--global: User-specific, ~/.gitconfig
--system: System default, /etc/gitconfig

More specific ones override more general settings, i.e. local overrides both global and system.

Mallissa answered 21/5, 2013 at 11:9 Comment(3)

Is there really no way to have Git for Windows accept the trusted root CAs already configured in the operating system? – Hexagram 21/5, 2013 at 13:32

I haven't found a way to make git use the root CA. You can turn off certificate valiadation with the git config --global http.sslVerify false setting, or the GIT_SSL_NO_VERIFY=true environment variable – Mallissa 21/5, 2013 at 13:37

@Mallissa 10 years later, same problem still persist, on any WIndows version, but not on every instance. The only common ground between systems where it is happening is that user doesn't have machine admin rights but it's unclear if that's the actual reason. – Channel 11/5, 2023 at 9:30

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags