Login/Register
Invalid SSL certificate when pushing to Git server
Asked Answered
Solved gitsslcredentialstortoisegitgitblit
I

11

37

I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).

The server that runs Gitblit is named itscm and on the developer's desktop I am using this URL to push data via TortoiseGit:

git.exe push --progress  "https://itscm:8234/git/TestRepo.git" master

However, I get this error:

fatal: unable to access 'https://itscm:8234/git/TestRepo.git/': SSL certificate problem: self signed certificate in certificate chain

When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don't understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.

Inamorato answered 16/10, 2013 at 20:46 Comment(5)
In my experience, the first time you try to access some place with a SSL certificate your browser doesn't like, it will give you the option to accept it anyway. Perhaps you've done this?Suksukarno
I was testing this earlier with firefox today. Out-of-the-box, gitblit uses self signed certificate and firefox was definitely recognizing it as invalid. After fiddling around with the gitblit install, I got it to work with my existing certificate. Firefox indicates that it trusts that certificate now.Inamorato
From the sound of it, your company uses an internal CA signing cert which has signed your SSL cert for itscm. I would guess that the CA cert has been added to your trusted certs for your browser, but git is using a source which does not trust the same CA chain as your browsers are configured to.Warmup
Possible duplicate of SSL certificate rejected trying to access GitHub over HTTPS behind firewallPatently
See the correct resolution here: #16669008Discursive
P
49

Git for Windows has its own trust store of trusted certificates which is normally located in the file

  • Git for Windows <=1.9: [Git installdir]\bin\curl-ca-bundle.crt (e.g., C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt; configured by the key http.sslCAinfo in [Git installdir]\etc\gitconfig).
  • Git for Windows >= 2.0: [Git installdir]\mingwXX\ssl\certs\ca-bundle.crt where XX stands for 32 or 64 (e.g., C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt; configured by the key http.sslCAinfo in git config, e.g. C:\Program Files\Git\etc or your global/local config).

Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible - depending where this is set it applies for all new https connections).

In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):

  1. Open the URL of the site in Microsoft Edge

  2. Click on the lock symbol in the local bar and choose "Connection is safe" and then click on the certificate symbol.

  3. (Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it

  4. Go to the second tab "Details"

  5. Click on "Save to file", choose "Base64-encoded X.509 (.CER)" and save it with a unique name (remember that name; a name w/o spaces is recommended).

  6. Now you have several options

    1. Use a separate certificate trust store which only contains your just downloaded cert, by executing git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to only use this certificate as the trust store.
    2. Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to use this new trust store.
    3. Update the system certificate file, by appending the content of your just saved file to [path-to-git-trust-store-crt-file] (e.g. by type [yourfilename] >> [path-to-git-trust-store-crt-file] in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update

Done. Now, this certificate is in the trust store of Git for Windows.

Recent versions of Git for Windows can use also Windows certificate store which might be more convenient in a corporate environment. This can be configured on installation.

Plante answered 30/9, 2014 at 19:33 Comment(5)
Open the URL of the site in Internet Explorer Which URL are you taking about in this?Gaskins
The URL you are using in Git for the remote.Plante
I had also to modify the file C:\Program Files\Git\mingw64\ssl\cert.pem I just added there the base64 certificate and (finally) it worked.Forney
Using the first option just replaced the "SSL certificate problem: self signed certificate in certificate chain" error with "error setting certificate verify locations: CAfile: C:\Program Files\Git\mingw64\ssl\certs\github.cer CApath: none"Dunite
One remark in my case git config --global http.sslCAinfo was empty, and git config http.sslCAinfo gave me the right path git config --show-origin -l shows every used file and can help in case of problem at this levelAstrology
C
25

TortoiseGit is probably not using the same truststore Chrome. I think Chrome uses the system store, Firefox uses it's own. I have no idea what TortoiseGit uses.

On the client, if you set git config http.sslVerify false you may have more luck. You can also set this globally.

Corena answered 16/10, 2013 at 21:28 Comment(5)
Yeah I was hoping I could fix it on the server end rather than have everyone set their git configuration.Inamorato
Not recommended. but this is how to set it globally: git config --global http.sslVerify falseAmorphism
Disabling SSL verification is EXTREMELY DANGEROUS. The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS. Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it. Not recommended unless you're sure that Man in the Middle attacks are not a concern for you.Patently
@GalBracha If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewallPenchant
Yes, it works. You could first disable SSL verification ( git config --global http.sslVerify false ), after that run your normal git command and then enable SSL verification again ( git config --global http.sslVerify true ).Gorski
A
5

Here is what worked for me. Create a folder C:\GitCerts. Then download the Base64 .cer file (follow the answer provided by MrTux) to this C:\GitCerts folder.

  • From command line run the following command: git config --global http.sslCAinfo "C:\GitCerts\MyCert.cer"
  • Open the MyCert.cer file in Notepad and leave it open
  • Open the Git ca-bundle.crt file in another Notepad. Mine was in the location C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt.
  • Verify the cert text in the MyCert.cer file is in the ca-bundle.crt file (it should be), if not just copy and paste all the text from MyCert.cer and append it at the bottom of the ca-bundle.crt file (make sure you leave all the other cert information in there).

-----BEGIN CERTIFICATE-----

your cert info here

-----END CERTIFICATE-----

  • If you had to modify the ca-bundle.crt file then save it (you may have to save it to your Desktop and then copy and paste it back in to overwrite the ca-bundle.crt file)
  • Finally, based on the path of your ca-bundle.crt file run the following command: git config --global http.sslcainfo "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"
Aishaaisle answered 7/4, 2016 at 20:41 Comment(2)
Since my answer was Windows environment based I want share a bit more info. With Chrome 58 we had to re-generate our cert to have a Subject Alternative Name (SAN). The above approach no longer worked with this new cert. Git clones through Visual Studio would error "unable to get local issuer certificate". If you've trusted the certificate in your Windows certificate store (the one Chrome, Internet Explorer, and so on use) then why not tell Git to use this certificate store instead of the default openssl CA bundle? To do this run the command: git config --global http.sslBackend schannelAishaaisle
check also C:\Users\username\AppData\Local\Programs\Git\mingw64\ssl\certsProhibit
E
2

I experienced this error using GitHub and it seemingly came out of nowhere. I had done plenty of work on GitHub before.

Kaspersky anti-virus was the culprit!!

When I turned off my anti-virus protection (and waited a couple of minutes) I was able to push / pull from my github repo.

My final solution was to locate a certificate from Kaspersky then add it to the Git for Windows trust store. The latter step is already detailed in the accepted answer, but for anyone else in a similar position I was able to locate the Kaspersky certificate by going to:

Settings > Additional > Network > Encrypted connections scanning - Advanced Settings > Install Certificate > Show Certificate > Details > Copy to File > Base-64 encoded X.509 (.cer)

Earwitness answered 29/9, 2018 at 19:30 Comment(0)
G
2

I found one more answer for this issue :

$ git config http.sslVerify false
Gaskins answered 30/1, 2019 at 8:2 Comment(3)
see previews answer - this is danger and not recommended - it expose you to attacking like Man in the middleMourn
@yehonatanyehezkel - Want can be the alternate way for this.?Gaskins
as a temporal solution maybe its fine- but i think it is better to solve the certification problem from the base... and not take a risk in important projects.Mourn
T
1

For those in a corporates, who get the self signed certificate error - below is an alternative.

In corporates, the same git server, that is accessible over https protocol, usually will also be accessible over ssh protocol. So choose the ssh option of server url and clone the repository as

git clone user@server/project.git

Of course, the public key( id_rsa.pub ) from your ~\.ssh folder will have to added to server. This way you don't have add the https server certificate to your windows certificate store or mac keychain ( example ).

Twerp answered 27/12, 2014 at 12:11 Comment(0)
P
0

I had the same problem because my laptop died and the clock reset to its default settings. If that's the case for you, set your clock to the current date and time and the problem should be fixed.

If your clock is set properly, follow what other people are recommending.

Polygynous answered 9/9, 2020 at 2:37 Comment(0)
T
0

I've had a similar problem, the error was "certificate has expired". After realizing that git uses own CA store I just updated Git and problem gone. P.S. BTW, recent Git for Windows can use Windows certificate store which can be more convenient in a corporate environment.

Thema answered 9/12, 2020 at 15:22 Comment(0)
P
0

If it's working previously and suddenly it stopped working with an SSL error then try to restart your system once. This way it worked for me

Paraphernalia answered 29/12, 2020 at 11:20 Comment(0)
M
0

I got the same error as I'm connecting through an insecure network. Switching the network resolved my issue.

Misshape answered 20/2, 2021 at 6:54 Comment(0)
S
0

Executing below command helped me to resolve this issue:

git config --global http.sslbackend schannel
Sklar answered 20/9, 2023 at 9:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.