Reputation: 1573
SSL certificate problem: self signed certificate in certificate chain
I have upgraded my Inteliij IDEA 2019.2 recently and I am getting the following error if I try to pull from using my IDE:
Git Pull Failed: unable to access 'https://github.xxx.com/app-Hello-USD/DGS.git/': SSL certificate problem: self signed certificate in certificate chain.
Could someone help me what option I have to enable?
Upvotes: 111
Views: 392967
Answers (8)
Reputation: 402235
NOTE: Please check the potential security implications here before running the following command
git config --global http.sslVerify false
Upvotes: 121
Reputation: 2364
This usually happens when your Git repository server is hosted inside a private network and uses a locally generated (self signed) TLS certificate. Because this certificate is not from a "trusted" source, most software will complain that the connection is not secure.
There's two ways to go about solving this. First is to disable SSL verification so you can clone the repository. Second is to add the self-signed certificate to Git as a trusted certificate.
Disable SSL Verification
The quickest and easiest way is to globally disable SSL verification on Git to clone the repository. But after cloning, you will immediately enable it again, otherwise Git won't verify certificate signatures for other repositories.
- Disable SSL verification on Git globally:
git config --global http.sslVerify false - Clone your repository:
git clone <your repo> - Enable SSL verification on Git globally:
git config --global http.sslVerify true - Change directory into your repo:
cd <your repo> - Disable SSL verification only on your repository:
git config --local http.sslVerify false
This is the easiest solution to implement, however you are skipping a SSL verification for specific repositories, and Git will constantly show security warning messages:
warning: ----------------- SECURITY WARNING ----------------
warning: | TLS certificate verification has been disabled! |
warning: ---------------------------------------------------
warning: HTTPS connections may not be secure. See https://aka.ms/gcmcore-tlsverify for more information.
Add Certificate to Windows Certificate Store
If the self-signed certificated has been imported to the Windows certificate store, you can simply execute these commands:
git config --global http.sslbackend schannel
git config --global credential.helper manager
They will tell Git to read the certificates from the Windows certificate store and have Windows Credential Manager prompt you for the credentials.
If this doesn't work (never worked for me for some reason). In such cases you can add the self-signed certificate to the OpenSSL certificate bundle.
Add Certificate to OpenSSL Certificate Bundle
An advanced approach would be to add the self-signed certificate to Git trusted certificates bundle.
Obtain the self-signed certificate:
openssl s_client -connect repo.domain.com:443Copy everything between (including)
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----Go to
C:\Users\<user>\AppData\Local\Programs\Git\usr\ssl\certs, open theca-bundle.crtfile in your favorite editor and paste the certificate at the bottom:# My Company Certifiate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----Configure Git to use
opensslas a certificate provider:git config --global http.sslbackend openssland set the path to the certificate bundle:
git config --global http.sslcainfo C:\Users\<user>\AppData\Local\Programs\Git\usr\ssl\certs\ca-bundle.crtClone your repository:
git clone <your repo>
This is the optimal solution because we're getting the benefits of SSL verification and those obnoxious security warning messages won't be shown anymore.
However, it's likely your Git credentials will be kept inside the ~/.git-credentials file, where they're stored in plain text, which is not good for security. On Windows you can use the Credential Manager to securely store your Git credentials, and I'm sure there's alternative for Git credential management on Linux (but on Linux you should really use SSH authentication).
Windows Credential Manager + OpenSSL
Fun fact! After entering your Git remote credentials into the Windows Credential Manager prompt, you can actually switch the certificate source to OpenSSL while having Windows manage your Git credentials:
git config --global http.sslbackend openssl
This is much better than keeping your credentials in the .git-credentials file where your password is visible in plain text.
Keep in mind, you should only ever do this if the Windows Certificate Store doesn't work for you.
If you're getting this error when setting a property value:
warning: http.sslverify has multiple values
error: cannot overwrite multiple values with a single value
Use a regexp, --add or --replace-all to change http.sslVerify.
Open your .gitconfig file and remove duplicate http.sslverify lines or for whichever property it's complaining about.
Upvotes: 62
Reputation: 41
It seemed like GIT was not configured by default to use the certificates in my Windows Trust Store. It worked for me by doing the following:
- Close your Intellij
- Open GIT Bash from the start menu and and run this command:
git config --global http.sslbackend schannel - Reopen Intellij and try
Upvotes: 3
Reputation: 428
This can be fixed by disabling SSL checking in the git config for the affected repositories. This should not require elevated privileges to complete.
git config http.sslVerify "false"
This command does not require use of the --global argument.
Upvotes: 0
Reputation: 1421
We can use Windows certificate storage mechanism.
Please try this
git config --global http.sslbackend schannel
Upvotes: 142
Reputation: 6736
For github.com you may change protocol from HTTPS to SSH:
open .git/config
fix url in [remote "origin"] block
old: url = https://github.com/myname/proj1
new: url = [email protected]:myname/proj1.git
Upvotes: 4
Reputation: 259
If you are connected to a VPN, please try without the VPN. I go this error because of this issue.
Upvotes: 5
Reputation: 4845
If you want to add the self-signed cert, export the cert you want as a Base-64 encoded .CER file. Locate your Git cert.pem file (for me it is in C:\Program Files\Git\usr\ssl\cert.pem). Open up your .CER file in a text-editor, and copy/paste the contents at the end of your cert.pem file. Save the file. Then open up your console and type
git config --global http.sslCAInfo "C:\Program Files\Git\usr\ssl\cert.pem"
Upvotes: 10
Related Questions
- self signed certificate in certificate chain on github copilot
- How to solve [curl: (60) SSL certificate problem: self signed certificate in certificate chain]
- How to solve SSL certificate: self signed certificate when cloning repo from github?
- Intellij Maven Repository self signed certificate, ssl error
- unable to access 'https://github.com/user name/projectName.git/': SSL certificate problem: self signed certificate in certificate chain
- SSL (TLS v1.2) issues with IntelliJ 2017.3 and GitHub
- Intellij disable SSL verification for git
- Git - "SSL certificate issue: self signed certificate in certificate chain"
- Intellij IDEA: Repository test failed unable to access: error setting certificate verify locations
- SSL: Can't find the certificate "" and its private key in the Keychain