Adding additional SSL certificate to be recognized in Cygwin
I have a server setup that has an HTTPS certificate issued by a major certificate provider (DigiCert). The certificate is recognized by all of the browsers on a machine running Windows Server 2008 R2, including Internet Explorer, Chrome, and Firefox.
However, the certificate is not recognized within Cygwin. For example, I get this error when I try to clone a git URL from this server:
error: SSL certificate problem: unable to get local issuer certificate while accessing [URL]
fatal: HTTP request failed
Other tools within Cygwin I have tried give the same error, such as curl:
curl: (60) SSL certificate problem: unable to get local issuer certificate
Digicert has the exact certificate I need. My ideal solutions would be to either update the bundle of certificates that Cygwin uses or to manually install the needed certificate. It seems like Cygwin has a separate certificate store from Windows. How can I do this?
Note: I do not want to simply ignore the error, as many users use this machine and will need to access the same server, so it would not make sense to ignore each time.
Since your git
-command is using Curl internally, try curl --verbose https://the-repo-URL
to see what happens.
Expected result is the same error you reported: "SSL certificate problem: unable to get local issuer certificate". Also in the verbose output there should be something like:
* successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The error and above output translates as: The X.509 certificate your repository is using is either self-signed and not trusted by Curl or is issued by a Certificate Authority not trusted by Curl. The places we looked for a trust-anchor included /etc/pki/tls/certs/ca-bundle.crt
, but we failed to find anything applicable.
To fix this:
- (this is the tricky part) Get the self-signed certificate, or the issuing CA root certificate
- Store the X.509 certificate in PEM-format to directory
/etc/pki/ca-trust/source/anchors
- Run command
update-ca-trust
. Do this with Administrator-permissions. Also note, that this command doesn't output anything. - Done! Test.
Update
The above stands valid, but there is an easier way to do exactly the above. Run this single command:
trust anchor --store [the certificate PEM-file]
Done! Test.