ChatGPT解决这个技术问题 Extra ChatGPT

SSL certificate rejected trying to access GitHub over HTTPS behind firewall

I'm stuck behind a firewall so have to use HTTPS to access my GitHub repository. I'm using cygwin 1.7.7 on Windows XP.

I've tried setting the remote to https://username@github.com/username/ExcelANT.git, but pushing prompts for a password, but doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repo from scratch but each time it gives me the same error

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

Turning on GIT_CURL_VERBOSE=1 gives me

* About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 * About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

Is this a problem with my firewall, cygwin or what?

I hadn't set the HTTP proxy in the Git config, however it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force git to use NTLM, I'm scuppered.

If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall. right now, .gitconfig file on user profile is blank.

D
Daniel Stenberg

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

<!-- language: lang-bash -->

    $ cd /usr/ssl/certs
    $ curl http://curl.haxx.se/ca/cacert.pem |
      awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
    $ c_rehash

Important: In order to use c_rehash you have to install openssl-perl too.

Ignore SSL certificate verification. WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution. $ env GIT_SSL_NO_VERIFY=true git clone https://github...


You don't need to install curl, just use wget: wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_a fter=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
I know this is cygwin, but in case anyone gets here using Centos, it's /etc/pki/tls/certs where the .pem's should go.
This answer is wrong. Just install the cygwin ca-certificates package to get the missing root certificates. Why did this answer get so many ups?
It worked for me. Before running c_rehash, yum install openssl-perl was needed (in centos)
Don't turn off SSL certificate verification. This happens all too often in tools and application code throughout industry. It opens you up to a man in the middle attack. If you're going to use SSL then use it properly.
B
Braiam

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

One way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only:

git config http.sslVerify false

If you don't want to edit your global settings (e.g. all repos), exclude --global
could you please add a note about how extremely dangerous this is?
this is a terrible idea. there is a reason that certificates should be verified. if you don't verify the certificate as trusted then the certificate could be generated by anyone and you could be susceptible to a man in the middle attack.
Don't turn off SSL verification !
For all "do not do it" people: Sure this is not the most secure approach at all. BUT, it is far better option that not to have SSL at all! Because some people run just their private simple git servers at it is fine for them. Sure, for any real security it is NO GO setting. The most insecure thing is sending the plain bytes thru the network.
l
lobi

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfig to use this for peer verification:

[http]
sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

Edited to change from http to https.


For me, this is the best answer: it works on unix (NetBSD actually), it affects only git and not anything else on the system, and it doesn't require root/Administrator access. Thanks!
Perfect, one can even do better. I have replaced my old /etc/ssl/certs/ca-certificates.crt on my Ubuntu 8.04 LTS with this file and it magically worked!
@Eric thanks for mentioning NetBSD as it meant I found this answer. NetBSD is a bit odd. I installed the OpenSSL package, but even that doesn't get you the certs, just a placeholder directory.
+200 More awesome, it also worked on my Ubuntu box. No need to disable certificate checking in git, just do this quick fix.
Excellent answer, you can skip hand-editing the ~/.gitconfig file with the following command: git config --global http.sslCAinfo "$HOME/certs/cacert.pem"
y
yourcomputergenius

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.

We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.

The commandline is as follows :

$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon

e.g:

abc:very_secret

Installation for using "normal" ssh protocol for git communication

By adding this to the ~/.ssh/config this trick can be used for normal ssh connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

now you can test it works by ssh-ing to gitproxy

pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.
pti@pti-laptop:~$

(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, e.g. to separate your private account from your professional account.

# 
# account dedicated for the ACME private github account 
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post


I gave up on getting this working, but had another look at it, and got it working. changing .ssh/config to >Host ssh.github.com >User oharab >Hostname ssh.github.com >Port 443 >PreferredAuthentications publickey >IdentityFile ~/.ssh/id_rsa and cloning using git clone git@ssh.github.com:oharab/log4vba.git got it up and running in no time.
I'm only downvoting because the answer below is more helpful but unfortunately stackoverflow always puts the accepted answer top, even if it was only an answer for a single circumstance.
In any case I updated the answer since I find that SSL tunneling through https proxy is still a better solution than fiddling with HTTPS certificates or disabling them and ending up with a solution which is still less performant, user friendly AND less secure. Well, plenty of upvotes prove me wrong but I stick to my opinion in this matter anyway.
s
seanp2k

Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:

export GIT_SSL_NO_VERIFY=true

and after that, the standard install procedure for curling the RVM installer into bash worked a treat :)


same effect as git config --global http.sslverify false
This is EXTREMELY DANGEROUS! The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS! Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it!
If i set http.sslVerify false then connection will secure? and it is good path to use ? In between we are using pfsense firewall
@Ravi the connection will technically work, yes, but it is unequivocally not a good idea. If both your git origin and the local machine are internal and under your organization's control, it might be passable, but as per user456814's comment, disabling verification opens you up to MITM attacks.
k
klodoma

A very simple solution: replace https:// with git://

Use git://the.repository instead of https://the.repository and will work.

I've had this problem on Windows with TortoiseGit and this solved it.


I guess this works because it doesn't verify ssl for git://. As stated out in this answer above, disabling ssl verification is a security risk.
@danijar the reason why this works is because it doesn't even use SSL at all. The git:// protocol uses SSH, which uses SSH public and private key pairs for authentication and encryption, instead of an SSL certificate.
@Cupcake git:// does not use SSH. See The SSH Protocol and The Git Protocol.
@nyuszika7h oh, you're right. I keep getting git:// confused with git@github.com:user/project.git, which is SCP-ish syntax.
thanks! this works for me, using msys2 git with tinywall firewall.
d
dirkjot

As the most popular answer (by Alexey Vishentsev) has it:

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

However, that last assertion is false (now, or always has been, I don't know).

All you have to do is go to cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.


cygwin git error shows CAfile: /etc/ssl/ca-bundle.crt whereas cygwin ca-certificates package installs /usr/ssl/certs/ca-bundle.crt. Therefore, had to edit ~/.gitconfig to specify the location: [http] then sslCAinfo = /usr/ssl/certs/ca-bundle.crt
@maxpolk: I would have made a link but the effect is the same. This is clearly a bug in cygwin git, have you considered raising a ticket? sudo ln -s /usr/ssl/certs/ca-bundle.crt /etc/ssl/
As of today 2013-5-23, cygwin git works fine over https: if you also happen to have/remember to install cygwin's ca-certificates.
I got here from this question, which indicated that an answer can be found here. However, neither the linked answer nor this answer work for me; TortoiseSVN keeps outputting error: SSL certificate problem, verify that the CA cert is OK.
Where exactly do we install the cygwin installation files from the package manager? Do the ca-certificates need to be within the bin folder of Git?
F
FlavorScape

To clone on windows while setting SSL verify to false:

    git -c http.sslVerify=false clone http://example.com/e.git

If you want to clone without borfing your global settings.


A
Anne

I know the original question lists Cygwin, but here is the solution for CentOS:

curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Source: http://eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/


This worked great for me; you should probably make a backup of the original first, though, as the OP suggests. It seems like this happens when Github renews their cert, if you are on a system that has an older one.
On CentOS 5 I fixed it by yum update openssl, which also updates the ca-bundle.
if you are going to follow this option, then you should verify the SHA-256 hash of the file before using it. You can obtain the sha256sum for the current file by some other means than the curl you're setting up (like a browser on a different machine that's already set up securely) and then compare it against the output of sha256sum /etc/pki/tls/certs/ca-bundle.crt to be sure you got the right file.
M
Mrchief

On CentOS 5.x, a simple yum update openssl updated the openssl package which updated the system ca-bundle.crt file and fixed the problem for me.

The same may be true for other distributions.


yum! This worked for me for an old install (4.1.2) of Red Hat linux. Thanks!
D
DotJava

If all you want to do is just to use the Cygwin git client with github.com, there is a much simpler way without having to go through the hassle of downloading, extracting, converting, splitting cert files. Proceed as follows (I'm assuming Windows XP with Cygwin and Firefox)

In Firefox, go to the github page (any) click on the github icon on the address bar to display the certificate Click through "more information" -> "display certificate" --> "details" and select each node in the hierarchy beginning with the uppermost one; for each of them click on "Export" and select the PEM format: GTECyberTrustGlobalRoot.pem DigiCertHighAssuranceEVRootCA.pem DigiCertHighAssuranceEVCA-1.pem github.com.pem Save the above files somewhere in your local drive, change the extension to .pem and move them to /usr/ssl/certs in your Cygwin installation (Windows: c:\cygwin\ssl\certs ) (optional) Run c_reshash from the bash.

That's it.

Of course this only installs one cert hierarchy, the one you need for github. You can of course use this method with any other site without the need to install 200 certs of sites you don't (necessarily) trust.


r
reza_khalafi

You can try this command in the Terminal:

git config --global http.sslVerify false


C
Community

If you're on Mac OS X, you can install the ca-cert-bundle via homebrew:

$ brew install curl-ca-bundle
$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

The formula installs the cert bundle to your share via:

share.install 'ca-bundle.crt'

The share method is just an alias to /usr/local/share, and the curl-ca-bundle is provided by Mozilla. It's what you see being referenced in a lot of issues. Hope this helps as it's not very straightforward about how to approach this on Mac OS X. brew install curl isn't going to get you much either as it's keg only and will not be linked (running which curl will always output /usr/bin/curl, which is the default that ships with your OS). This post may also be of some value.

You'll of course need to disable SSL before you install homebrew since it's a git repo. Just do what curl says when it errors out during SSL verification and:

$ echo insecure >> ~/.curlrc

Once you get homebrew installed along with the curl-ca-bundle, delete .curlrc and try cloning a repo out on github. Ensure that there are no errors and you'll be good to go.

NOTE: If you do resort to .curlrc, please remove it from your system the moment you're done testing. This file can cause major issues, so use it for temporary purposes and with caution. brew doctor will complain in case you forget to purge it from your system).

NOTE: If you update your version of git, you'll need to rerun this command since your system settings will be wiped out (they're stored relative to the git binary based on version).

So after running:

$ brew update
$ brew upgrade

If you get a new version of git, then just rerun:

$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

And you'll be all set.

Lastly if you have a new version of git, running:

$ git config -l --system

should give you an error along the lines of

fatal: unable to read config file '/usr/local/Cellar/git/1.8.2.2/etc/gitconfig'

that's your tip that you need to tell git where the Mozilla ca-bundle is.

UPDATE:

.curlrc may or may not be the remedy to your problem. In any case, just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not. That's what's important here. Once you get the ca-bundle, you're good to go. Just run the git config command and point git to the the ca-bundle.

UPDATE

I recently had to add:

export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt to my .zshenv dot file since I'm using zsh. the git config option worked for most cases, but when hitting github over SSL (rvm get stable for example), I still ran into certificate issues. @Maverick pointed this out in his comment, but just in case someone misses it or assumes they don't necessarily need to export this environment variable in addition to running the git config --system.... command. Thanks and hope this helps.

UPDATE

It looks like the curl-ca-bundle was recently removed from homebrew. There is a recommendation here.

You will want to drop some files into:

$(brew --prefix)/etc/openssl/certs


You can also try the following: export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt
Hi, I am having a similar issue (stackoverflow.com/questions/20939105/…) and the same issue appears when I try to install home-brew. What can I do in this case? Typing "git config --system http.sslcainfo /usr/local/share/ca-bundle.crt" in my console returns "error: could not lock config file /Applications/Xcode.app/Contents/Developer/usr/etc/gitconfig: No such file or directory". Thank you for your help!
@Mathieu that's pretty strange. Seems like your system is pointing to a version of git relative to XCode. What is the output of running 'which git' from your terminal?
s
svassr

I've been having this same problem for Solaris Express 11. It took me a while but I managed to find where the certificates needed to be placed. According to /etc/openssl/openssl.cnf, the path for certificates is /etc/openssl/certs. I placed the certificates generated using the above advice from Alexey.

You can verify that things are working using openssl on the commandline:

openssl s_client -connect github.com:443

Z
Zombo

I fixed this problem using apt-cyg (a great installer similar to apt-get) to easily download the ca-certificates (including Git and many more):

apt-cyg install ca-certificates

Note: apt-cyg should be first installed. You can do this from Windows command line:

cd c:\cygwin
setup.exe -q -P wget,tar,qawk,bzip2,subversion,vim

Close Windows cmd, and open Cygwin Bash:

wget rawgit.com/transcode-open/apt-cyg/master/apt-cyg
install apt-cyg /bin

This didn't work for me - I still get the same error.
P
Patrick

If you used debian-based OS, you can simply run

apt-get install ca-certificates


D
Dry_accountant_09

Generate the access token from Github and save it, as it will not appear again.

git -c http.sslVerify=false clone https://<username>:<token>@github.com/repo.git

or,

git config --global http.sslVerify false
git clone https://github.com/repo.git

P
Parimal Raj

on a rasbery pi i had

pi@raspbmc:~$ git clone http: //github.com/andreafabrizi/Dropbox-Uploader .git Cloning into 'Dropbox-Uploader'... error: Problem with the SSL CA cert (path? access rights?) while accessing http:// github.com/andreafabrizi/Dropbox-Uploader.git/info/refs fatal: HTTP request failed

so id a

sudo apt-get install ca-certificates

then

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git  

worked


T
Travis Reeder

Try using a .netrc file, it will authenticate over https. Create a file call .netrc in your home directory and put this in it:

machine github.com login myusername password mypass

See this post for more info:

https://plus.google.com/u/0/104462765626035447305/posts/WbwD4zcm2fj


This is a certificate validation issue, not an authentication issue -- some operating systems (including the one the OP runs) don't have the CA issuing github's new certificate included in the stock list.
M
Marshal

Improve RouMao's solution by temporarily disabling GIT/curl ssl verification in Windows cmd:

set GIT_SSL_NO_VERIFY=true
git config --global http.proxy http://<your-proxy>:443

The good thing about this solution is that it only takes effect in the current cmd window.


This is EXTREMELY DANGEROUS! The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS! Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it!
D
Deiu

Have you checked your time?

I absolutely refused to make my git operations insecure and after trying everything people mentioned here, it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong (either the certificate expiry date, or the local clock).

You can check this easily by typing date in a terminal. In my case (a new raspberry Pi), the local clock was set to 1970, so a simple ntpdate -u 0.ubuntu.pool.ntp.org fixed everything. For a rPi, I would also recommend that you put the following script in a daily cron job (say /etc/cron.daily/ntpdate):

#!/bin/sh
/usr/sbin/ntpdate -u 0.ubuntu.pool.ntp.org 1> /dev/null 2>&1

u
user229044

Try using command

git config --global http.sslverify false

This command will allow all the certificate from http which are not secured but use cautiously if using in professional environment.


The answer is a duplicate and has already been provided three times for the question.
M
Mrchief

I encountered the same problem to configure Git on a collaborative development platform that I have to manage.

To solve it :

I've Updated the release of Curl installed on the server. Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl

Get back the certificate of the authority which delivers the certificate for the server.

Add this certificate to the CAcert file used by curl. On my server it is located in /etc/pki/tls/certs/ca-bundle.crt.

Configure git to use this certificate file by editing the .gitconfig file and set the sslcainfo path. sslcainfo= /etc/pki/tls/certs/ca-bundle.crt

On the client machine you must get the certificate and configure the .gitconfig file too.

I hope this will help some of you.


G
GenericEventHandler

I tried everything, eventually I looked in the hosts file and there was a random entry there for github. Removing the alias fixed the problem

%systemroot%\system32\drivers\etc\hosts


0
0x3bfc

https://i.stack.imgur.com/p9Bbx.png


S
Sonata

I needed the certificates just for Cygwin and git so I did what @esquifit posted. However, I had to run step 5 manually, c_rehash was not available on my system. I followed this guide: Installing CA Certificates into the OpenSSL framework instead.


u
user2896631

I needed two things:

go to cygwin setup and include the package 'ca-certificates' (it is under Net) (as indicated elsewhere). Tell git where to find the installed certificates: GIT_SSL_CAINFO=/usr/ssl/certs/ca-bundle.crt GIT_CURL_VERBOSE=1 git ... (Verbose option is not needed) Or storing the option permanently: git config --global http.sslCAinfo /usr/ssl/certs/ca-bundle.crt git ...


s
sap

I had the same issue. Certificate import or command to unset ssl verification didn't work. It turn out to be expired password for network proxy. There was entry of proxy config. in the .gitconfig file present in my windows user profile. I just removed the whole entry and it started working again.


A
AnneTheAgile

On a Mac OSX 10.5 system, I was able to get this to work with a simple method. First, run the github procedures and the test, which worked ok for me, showing that my certificate was actually ok. https://help.github.com/articles/generating-ssh-keys

ssh -T git@github.com

Then I finally noticed yet another url format for remotes. I tried the others, above and they didn't work. http://git-scm.com/book/ch2-5.html

git@github.com:MyGithubUsername/MyRepoName.git

A simple "git push myRemoteName" worked great!


c
craigb

I recently (Jul 2014) had a similar issue and found on OS X (10.9.4) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).

Open Keychain Access search Certificates for "DigiCert" View menu > Show Expired Certificates

I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.

Hope this helps.