SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Question

I'm stuck behind a firewall, so I have to use HTTPS to access my GitHub repository. I'm using Cygwin 1.7.7 on Windows XP.

I've tried setting the remote to https://username@github.com/username/ExcelANT.git, but pushing prompts for a password, but it doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repository from scratch, but each time it gives me the same error:

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

Turning on GIT_CURL_VERBOSE=1 gives me

* About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 * About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

Is this a problem with my firewall, Cygwin or what?

I hadn't set the HTTP proxy in the Git configuration. However, it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force Git to use NTLM, I'm scuppered.

Answer 1

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

mkdir ~/certs

curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfig to use this for peer verification:

[http]
sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

Answer 2

I've been having this same problem for Solaris Express 11. It took me a while, but I managed to find where the certificates needed to be placed. According to /etc/openssl/openssl.cnf, the path for certificates is /etc/openssl/certs. I placed the certificates generated using the previous advice from Alexey.

You can verify that things are working using OpenSSL on the command line:

openssl s_client -connect github.com:443

Answer 3

The problem is that you do not have any of certificate authority (CA) certificates installed on your system. And these certificates cannot be installed with Cygwin's setup.exe.

Install Net/ca-certificates package in Cygwin (thanks dirkjot)

There are two solutions:

1. Actually install root certificates. The curl guys extracted the certificates from Mozilla for you.

cacert.pem file is what you are looking for. This file contains more than 250 CA certificates (don't know how to trust this number of people). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With Cygwin setup.exe install the curl and OpenSSL packages.

Execute:

$ cd /usr/ssl/certs

$ curl http://curl.haxx.se/ca/cacert.pem |
    awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'

$ c_rehash

Important: In order to use c_rehash you have to install Cygwin package openssl-perl too.

2. Ignore SSL certificate verification.

   WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a man-in-the-middle attack. Be sure you fully understand the security issues and your threat model before using this as a solution.

   env GIT_SSL_NO_VERIFY=true git clone https://github...

Answer 4

Try using command

git config --global http.sslverify false

This command will allow all the certificate from HTTP which are not secured, but use cautiously if using in a professional environment.

Answer 5

Generate the access token from GitHub and save it, as it will not appear again.

git -c http.sslVerify=false clone https://<username>:<token>@github.com/repo.git

or,

git config --global http.sslVerify false
git clone https://github.com/repo.git

Answer 6

I simply disabled the SSL certificate authentication and used the simple user name password login as shown below:

Answer 7

To clone on Windows while setting SSL verify to false:

git -c http.sslVerify=false clone http://example.com/e.git

If you want to clone without borfing your global settings.

Answer 8

I tried everything, and eventually I looked in the hosts file and there was a random entry there for GitHub. Removing the alias fixed the problem.

%systemroot%\system32\drivers\etc\hosts

Answer 9

Check your time.

I absolutely refused to make my Git operations insecure and after trying everything people mentioned here, it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong (either the certificate expiry date, or the local clock).

You can check this easily by typing date in a terminal. In my case (a new Raspberry Pi), the local clock was set to 1970, so a simple ntpdate -u 0.ubuntu.pool.ntp.org fixed everything. For a Raspberry Pi, I would also recommend that you put the following script in a daily cron job (say /etc/cron.daily/ntpdate):

#!/bin/sh
/usr/sbin/ntpdate -u 0.ubuntu.pool.ntp.org 1> /dev/null 2>&1

Answer 10

If you used a Debian-based OS, you can simply run:

apt-get install ca-certificates

Answer 11

For those using MSYS/MinGW Git, add this:

export GIT_SSL_CAINFO=/mingw32/ssl/certs/ca-bundle.crt

Answer 12

I recently (Jul 2014) had a similar issue and found on OS X (v10.9.4 (Mavericks)) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).

1. Open Keychain Access
2. search Certificates for "DigiCert"
3. View menu → Show Expired Certificates

I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.

Answer 13

On a Raspberry Pi I had:

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git

Output:

Cloning into 'Dropbox-Uploader'...
error: Problem with the SSL CA cert (path? access rights?) while accessing http://  github.com/andreafabrizi/Dropbox-Uploader.git/info/refs
fatal: HTTP request failed

So I did a

sudo apt-get install ca-certificates

And then

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git

worked

Answer 14

On a Mac OS X 10.5 (Leopard) system, I was able to get this to work with a simple method. First, run the GitHub procedures and the test, which worked ok for me, showing that my certificate was actually ok.

Connecting to GitHub with SSH

ssh -T git@github.com

Then I finally noticed yet another URL format for remotes. I tried the others, above and they didn't work.

2.5 Git Basics - Working with Remotes

git@github.com:MyGithubUsername/MyRepoName.git

A simple "git push myRemoteName" worked great!

Answer 15

I had the same issue.

Certificate import or command to unset SSL verification didn't work. It turns out to be an expired password for the network proxy. There was an entry of proxy configuration in the .gitconfig file present in my Windows user profile.

I just removed the whole entry, and it started working again.

Answer 16

Improve RouMao's solution by temporarily disabling Git/curl SSL verification in Windows cmd:

set GIT_SSL_NO_VERIFY=true
git config --global http.proxy http://<your-proxy>:443

The good thing about this solution is that it only takes effect in the current cmd window.

Answer 17

I needed two things:

1. go to Cygwin setup and include the package 'ca-certificates' (it is under Net) (as indicated elsewhere).

2. Tell Git where to find the installed certificates:

   **GIT_SSL_CAINFO=/usr/ssl/certs/ca-bundle.crt**  GIT_CURL_VERBOSE=1 git ...
   

(Verbose option is not needed)

Or storing the option permanently:

   **git config** --global http.sslCAinfo /usr/ssl/certs/ca-bundle.crt

   git ...

Answer 18

If you're on Mac OS X, you can install the ca-cert-bundle via homebrew:

brew install curl-ca-bundle
git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

The formula installs the cert bundle to your share via:

share.install 'ca-bundle.crt'

The share method is just an alias to /usr/local/share, and the curl-ca-bundle is provided by Mozilla. It's what you see being referenced in a lot of issues. Hope this helps as it's not very straightforward about how to approach this on Mac OS X. brew install curl isn't going to get you much either as it's keg only and will not be linked (running which curl will always output /usr/bin/curl, which is the default that ships with your OS). This post may also be of some value.

You'll of course need to disable SSL before you install homebrew since it's a git repo. Just do what curl says when it errors out during SSL verification and:

echo insecure >> ~/.curlrc

Once you get homebrew installed along with the curl-ca-bundle, delete .curlrc and try cloning a repo out on GitHub. Ensure that there are no errors and you'll be good to go.

NOTE: If you do resort to .curlrc, please remove it from your system the moment you're done testing. This file can cause major issues, so use it for temporary purposes and with caution. brew doctor will complain in case you forget to purge it from your system).

NOTE: If you update your version of git, you'll need to rerun this command since your system settings will be wiped out (they're stored relative to the Git binary based on version).

So after running:

brew update
brew upgrade

If you get a new version of Git, then just rerun:

git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

And you'll be all set.

Lastly if you have a new version of Git, running:

git config -l --system

should give you an error along the lines of

fatal: unable to read config file '/usr/local/Cellar/git/1.8.2.2/etc/gitconfig'

That's your tip that you need to tell gGit where the Mozilla ca-bundle is.

.curlrc may or may not be the remedy to your problem. In any case, just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not. That's what's important here. Once you get the ca-bundle, you're good to go. Just run the Git configuration command and point git to the the ca-bundle.

export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt to my .zshenv dot file since I'm using zsh. the git config option worked for most cases, but when hitting GitHub over SSL (rvm get stable for example), I still ran into certificate issues. @Maverick pointed this out in his comment, but just in case someone misses it or assumes they don't necessarily need to export this environment variable in addition to running the git config --system.... command. Thanks and hope this helps.

It looks like the curl-ca-bundle was recently removed from homebrew. There is a recommendation here.

You will want to drop some files into:

$(brew --prefix)/etc/openssl/certs

Answer 19

On CentOS 5.x, a simple yum update openssl updated the OpenSSL package which updated the system ca-bundle.crt file and fixed the problem for me.

The same may be true for other distributions.

Answer 20

As the most popular answer (by Alexey Vishentsev) has it:

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

However, that last assertion is false (now, or always has been, I don't know).

All you have to do is go to Cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.

Answer 21

I needed the certificates just for Cygwin and Git, so I did what @esquifit posted. However, I had to run step 5 manually, c_rehash was not available on my system.

I followed this guide: Installing CA Certificates into the OpenSSL framework instead.

Answer 22

Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:

export GIT_SSL_NO_VERIFY=true

and after that, the standard install procedure for curling the RVM installer into Bash worked a treat :)

Answer 23

If all you want to do is just to use the Cygwin Git client with github.com, there is a much simpler way without having to go through the hassle of downloading, extracting, converting, splitting certificate files. Proceed as follows (I'm assuming Windows XP with Cygwin and Firefox)

1. In Firefox, go to the GitHub page (any)
2. Click on the GitHub icon on the address bar to display the certificate
3. Click through "more information" → "display certificate" → "details" and select each node in the hierarchy beginning with the uppermost one; for each of them click on "Export" and select the PEM format:

• GTECyberTrustGlobalRoot.pem
• DigiCertHighAssuranceEVRootCA.pem
• DigiCertHighAssuranceEVCA-1.pem
• github.com.pem

4. Save the above files somewhere in your local drive, change the extension to .pem and move them to /usr/ssl/certs in your Cygwin installation (Windows: C:\cygwin\ssl\certs)
5. (optional) Run c_reshash from Bash.

That's it.

Of course this only installs one certificate hierarchy, the one you need for GitHub. You can of course use this method with any other site without the need to install 200 certs of sites you don't (necessarily) trust.

Answer 24

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling SSH through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using HTTP access and that is to use the SSH service offered by GitHub on port 443 of the ssh.github.com server.

We use a tool called Corkscrew. This is available for both Cygwin (through setup from the Cygwin homepage) and Linux using your favorite packaging tool. For Mac OS X it is available from MacPorts and Homebrew (executable brew) at least.

The command line is as follows:

corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the HTTPS proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a text file with one line containing your proxy server username/password separated by a colon.

E.g.:

abc:very_secret

Installation for using "normal" ssh protocol for Git communication.

By adding this to the ~/.ssh/config this trick can be used for normal SSH connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

Now you can test it works by ssh-ing to gitproxy:

ssh github.com

Output:

PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.

(Note: if you never logged into GitHub before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the GitHub site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, e.g., to separate your private account from your professional account.

# Account dedicated for the ACME private GitHub account
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

Enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post.

Answer 25

You can try this command in the Terminal:

git config --global http.sslVerify false

Answer 26

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

One way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only:

git config http.sslVerify false

Answer 27

I fixed this problem using apt-cyg (a great installer similar to apt-get) to easily download the ca-certificates (including Git and many more):

apt-cyg install ca-certificates

Note: apt-cyg should be first installed. You can do this from Windows command line:

cd c:\cygwin
setup.exe -q -P wget,tar,qawk,bzip2,subversion,vim

Close Windows cmd, and open Cygwin Bash:

wget rawgit.com/transcode-open/apt-cyg/master/apt-cyg
install apt-cyg /bin

Answer 28

A very simple solution: replace https:// with git://

Use git://the.repository instead of https://the.repository and will work.

I've had this problem on Windows with TortoiseGit and this solved it.

Answer 29

I encountered the same problem to configure Git on a collaborative development platform that I have to manage.

To solve it :

• I've Updated the release of Curl installed on the server. Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl

• Get back the certificate of the authority which delivers the certificate for the server.

• Add this certificate to the CAcert file used by curl. On my server it is located in /etc/pki/tls/certs/ca-bundle.crt.

• Configure git to use this certificate file by editing the .gitconfig file and set the sslcainfo path. sslcainfo= /etc/pki/tls/certs/ca-bundle.crt

• On the client machine you must get the certificate and configure the .gitconfig file too.

I hope this will help some of you.

Answer 30

Try using a .netrc file, it will authenticate over https. Create a file call .netrc in your home directory and put this in it:

machine github.com login myusername password mypass

See this post for more info:

https://plus.google.com/u/0/104462765626035447305/posts/WbwD4zcm2fj