Adding additional SSL certificate to be recognized in Cygwin

certificate ssl windows-server-2008-r2 cygwin windows-server

I have a server setup that has an HTTPS certificate issued by a major certificate provider (DigiCert). The certificate is recognized by all of the browsers on a machine running Windows Server 2008 R2, including Internet Explorer, Chrome, and Firefox.

However, the certificate is not recognized within Cygwin. For example, I get this error when I try to clone a git URL from this server:

error: SSL certificate problem: unable to get local issuer certificate while accessing [URL] fatal: HTTP request failed

Other tools within Cygwin I have tried give the same error, such as curl:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Digicert has the exact certificate I need. My ideal solutions would be to either update the bundle of certificates that Cygwin uses or to manually install the needed certificate. It seems like Cygwin has a separate certificate store from Windows. How can I do this?

Note: I do not want to simply ignore the error, as many users use this machine and will need to access the same server, so it would not make sense to ignore each time.


Since your git-command is using Curl internally, try curl --verbose https://the-repo-URL to see what happens.

Expected result is the same error you reported: "SSL certificate problem: unable to get local issuer certificate". Also in the verbose output there should be something like: * successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The error and above output translates as: The X.509 certificate your repository is using is either self-signed and not trusted by Curl or is issued by a Certificate Authority not trusted by Curl. The places we looked for a trust-anchor included /etc/pki/tls/certs/ca-bundle.crt, but we failed to find anything applicable.

To fix this:

  1. (this is the tricky part) Get the self-signed certificate, or the issuing CA root certificate
  2. Store the X.509 certificate in PEM-format to directory /etc/pki/ca-trust/source/anchors
  3. Run command update-ca-trust. Do this with Administrator-permissions. Also note, that this command doesn't output anything.
  4. Done! Test.

Update

The above stands valid, but there is an easier way to do exactly the above. Run this single command:

trust anchor --store [the certificate PEM-file]

Done! Test.

Related

E: Unable to locate package libcr-dev
Re-initialise GRUB for non-bootable UEFI zfs 16.04 installation
How do I contact the UFW developers to make a feature request? [duplicate]
How to disable tracker on ubuntu 20.04?
GeForce GT 710: Drivers installing forever [duplicate]
Want KVM/QEMU version 5 for Ubuntu 20.04
Copying debian directory from another branch to build in Launchpad
How do I make the SSD accessible to the Ubuntu installer on a Samsung Galaxy Book S (Intel Lakefield)?
How do I programmatically detect that my launchpad build process is done?
How can I turn on wifi and hotspot simultaneously in Ubuntu 20.04?
Can I Import an existing OpenPGP key into Ubuntu for use as my Personal key?
Has there been any malicious PPA so far?