SSL certificate rejected trying to access GitHub over HTTPS behind firewall
I'm stuck behind a firewall so have to use HTTPS to access my GitHub repository. I'm using cygwin 1.7.7 on Windows XP.
I've tried setting the remote to https://[email protected]/username/ExcelANT.git
, but pushing prompts for a password, but doesn't do anything once I've entered it.
https://username:<password>github.com/username/ExcelANT.git
and cloning the empty repo from scratch but each time it gives me the same error
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
Turning on GIT_CURL_VERBOSE=1
gives me
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
fatal: HTTP request failed
Is this a problem with my firewall, cygwin or what?
I hadn't set the HTTP proxy in the Git config, however it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force git to use NTLM, I'm scuppered.
Solution 1:
The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.
Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)
There are two solutions:
- Actually install root certificates. Curl guys extracted for you certificates from Mozilla.
cacert.pem
file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:
<!-- language: lang-bash -->
$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash
Important: In order to use c_rehash
you have to install openssl-perl
too.
-
Ignore SSL certificate verification.
WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
Solution 2:
Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.
One way is to disable the SSL CERT verification:
git config --global http.sslVerify false
This will prevent CURL to verity the HTTPS certification.
For one repository only:
git config http.sslVerify false
Solution 3:
I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:
mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem
Now update .gitconfig
to use this for peer verification:
[http]
sslCAinfo = /home/radium/certs/cacert.pem
Note I'm using an absolute path. Git does no path expansion here, so you can't use ~
without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO
instead.
To troubleshoot this, set GIT_CURL_VERBOSE=1
. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.
Edited to change from http to https.