I'm stuck behind a firewall so have to use HTTPS to access my GitHub repository. I'm using cygwin 1.7.7 on Windows XP.
I've tried setting the remote to https://[email protected]/username/ExcelANT.git, but pushing prompts for a password, but doesn't do anything once I've entered it.
https://username:<password>github.com/username/ExcelANT.git and cloning the empty repo from scratch but each time it gives me the same error
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
Turning on GIT_CURL_VERBOSE=1 gives me
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
fatal: HTTP request failed
Is this a problem with my firewall, cygwin or what?
I hadn't set the HTTP proxy in the Git config, however it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force git to use NTLM, I'm scuppered.
This question is related to
git
ssl
github
cygwin
ssl-certificate
The answer is
If you're on Mac OS X, you can install the ca-cert-bundle via homebrew:
$ brew install curl-ca-bundle
$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt
The formula installs the cert bundle to your share via:
share.install 'ca-bundle.crt'
The share method is just an alias to /usr/local/share, and the curl-ca-bundle is provided by Mozilla. It's what you see being referenced in a lot of issues. Hope this helps as it's not very straightforward about how to approach this on Mac OS X. brew install curl isn't going to get you much either as it's keg only and will not be linked (running which curl will always output /usr/bin/curl, which is the default that ships with your OS). This post may also be of some value.
You'll of course need to disable SSL before you install homebrew since it's a git repo. Just do what curl says when it errors out during SSL verification and:
$ echo insecure >> ~/.curlrc
Once you get homebrew installed along with the curl-ca-bundle, delete .curlrc and try cloning a repo out on github. Ensure that there are no errors and you'll be good to go.
NOTE: If you do resort to .curlrc, please remove it from your system the moment you're done testing. This file can cause major issues, so use it for temporary purposes and with caution. brew doctor will complain in case you forget to purge it from your system).
NOTE: If you update your version of git, you'll need to rerun this command since your system settings will be wiped out (they're stored relative to the git binary based on version).
So after running:
$ brew update
$ brew upgrade
If you get a new version of git, then just rerun:
$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt
And you'll be all set.
Lastly if you have a new version of git, running:
$ git config -l --system
should give you an error along the lines of
fatal: unable to read config file '/usr/local/Cellar/git/1.8.2.2/etc/gitconfig'
that's your tip that you need to tell git where the Mozilla ca-bundle is.
UPDATE:
.curlrc may or may not be the remedy to your problem. In any case, just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not. That's what's important here. Once you get the ca-bundle, you're good to go. Just run the git config command and point git to the the ca-bundle.
UPDATE
I recently had to add:
export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt to my .zshenv dot file since I'm using zsh. the git config option worked for most cases, but when hitting github over SSL (rvm get stable for example), I still ran into certificate issues. @Maverick pointed this out in his comment, but just in case someone misses it or assumes they don't necessarily need to export this environment variable in addition to running the git config --system.... command. Thanks and hope this helps.
UPDATE
It looks like the curl-ca-bundle was recently removed from homebrew. There is a recommendation here.
You will want to drop some files into:
$(brew --prefix)/etc/openssl/certs
Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.
One way is to disable the SSL CERT verification:
git config --global http.sslVerify false
This will prevent CURL to verity the HTTPS certification.
For one repository only:
git config http.sslVerify false
I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:
mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem
Now update .gitconfig to use this for peer verification:
[http]
sslCAinfo = /home/radium/certs/cacert.pem
Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.
To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.
Edited to change from http to https.
You can try this command in the Terminal:
git config --global http.sslVerify false
I know the original question lists Cygwin, but here is the solution for CentOS:
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
Source: http://eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/
A very simple solution: replace https:// with git://
Use git://the.repository instead of https://the.repository and will work.
I've had this problem on Windows with TortoiseGit and this solved it.
I recently (Jul 2014) had a similar issue and found on OS X (10.9.4) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).
- Open Keychain Access
- search Certificates for "DigiCert"
- View menu > Show Expired Certificates
I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.
Hope this helps.
Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:
export GIT_SSL_NO_VERIFY=true
and after that, the standard install procedure for curling the RVM installer into bash worked a treat :)
If you used debian-based OS, you can simply run
apt-get install ca-certificates
The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.
Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)
There are two solutions:
Actually install root certificates. Curl guys extracted for you certificates from Mozilla.
cacert.pemfile is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:
$ cd /usr/ssl/certs $ curl http://curl.haxx.se/ca/cacert.pem | awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}' $ c_rehashImportant: In order to use
c_rehashyou have to installopenssl-perltoo.Ignore SSL certificate verification.
WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
I had the same issue. Certificate import or command to unset ssl verification didn't work. It turn out to be expired password for network proxy. There was entry of proxy config. in the .gitconfig file present in my windows user profile. I just removed the whole entry and it started working again.
I needed two things:
go to cygwin setup and include the package 'ca-certificates' (it is under Net) (as indicated elsewhere).
Tell git where to find the installed certificates:
GIT_SSL_CAINFO=/usr/ssl/certs/ca-bundle.crt GIT_CURL_VERBOSE=1 git ...
(Verbose option is not needed)
Or storing the option permanently:
git config --global http.sslCAinfo /usr/ssl/certs/ca-bundle.crt
git ...
Have you checked your time?
I absolutely refused to make my git operations insecure and after trying everything people mentioned here, it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong (either the certificate expiry date, or the local clock).
You can check this easily by typing date in a terminal. In my case (a new raspberry Pi), the local clock was set to 1970, so a simple ntpdate -u 0.ubuntu.pool.ntp.org fixed everything. For a rPi, I would also recommend that you put the following script in a daily cron job (say /etc/cron.daily/ntpdate):
#!/bin/sh
/usr/sbin/ntpdate -u 0.ubuntu.pool.ntp.org 1> /dev/null 2>&1
I tried everything, eventually I looked in the hosts file and there was a random entry there for github. Removing the alias fixed the problem
%systemroot%\system32\drivers\etc\hosts
I simply disabled the SSL certificate authentication and used the simple user name password login as shown below
I've been having this same problem for Solaris Express 11. It took me a while but I managed to find where the certificates needed to be placed. According to /etc/openssl/openssl.cnf, the path for certificates is /etc/openssl/certs. I placed the certificates generated using the above advice from Alexey.
You can verify that things are working using openssl on the commandline:
openssl s_client -connect github.com:443
on a rasbery pi i had
pi@raspbmc:~$ git clone http: //github.com/andreafabrizi/Dropbox-Uploader .git Cloning into 'Dropbox-Uploader'... error: Problem with the SSL CA cert (path? access rights?) while accessing http:// github.com/andreafabrizi/Dropbox-Uploader.git/info/refs fatal: HTTP request failed
so id a
sudo apt-get install ca-certificates
then
git clone http://github.com/andreafabrizi/Dropbox-Uploader.git
worked
For those use Msys/MinGW GIT, add this
export GIT_SSL_CAINFO=/mingw32/ssl/certs/ca-bundle.crt
I encountered the same problem to configure Git on a collaborative development platform that I have to manage.
To solve it :
I've Updated the release of Curl installed on the server. Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl
Get back the certificate of the authority which delivers the certificate for the server.
Add this certificate to the CAcert file used by curl. On my server it is located in
/etc/pki/tls/certs/ca-bundle.crt.Configure git to use this certificate file by editing the .gitconfig file and set the sslcainfo path.
sslcainfo= /etc/pki/tls/certs/ca-bundle.crtOn the client machine you must get the certificate and configure the .gitconfig file too.
I hope this will help some of you.
Improve RouMao's solution by temporarily disabling GIT/curl ssl verification in Windows cmd:
set GIT_SSL_NO_VERIFY=true
git config --global http.proxy http://<your-proxy>:443
The good thing about this solution is that it only takes effect in the current cmd window.
Try using a .netrc file, it will authenticate over https. Create a file call .netrc in your home directory and put this in it:
machine github.com login myusername password mypass
See this post for more info:
https://plus.google.com/u/0/104462765626035447305/posts/WbwD4zcm2fj
I needed the certificates just for Cygwin and git so I did what @esquifit posted. However, I had to run step 5 manually, c_rehash was not available on my system. I followed this guide: Installing CA Certificates into the OpenSSL framework instead.
I fixed this problem using apt-cyg (a great installer similar to apt-get) to easily download the ca-certificates (including Git and many more):
apt-cyg install ca-certificates
Note: apt-cyg should be first installed. You can do this from Windows command line:
cd c:\cygwin
setup.exe -q -P wget,tar,qawk,bzip2,subversion,vim
Close Windows cmd, and open Cygwin Bash:
wget rawgit.com/transcode-open/apt-cyg/master/apt-cyg
install apt-cyg /bin
On a Mac OSX 10.5 system, I was able to get this to work with a simple method. First, run the github procedures and the test, which worked ok for me, showing that my certificate was actually ok. https://help.github.com/articles/generating-ssh-keys
ssh -T [email protected]
Then I finally noticed yet another url format for remotes. I tried the others, above and they didn't work. http://git-scm.com/book/ch2-5.html
[email protected]:MyGithubUsername/MyRepoName.git
A simple "git push myRemoteName" worked great!
Generate the access token from Github and save it, as it will not appear again.
git -c http.sslVerify=false clone https://<username>:<token>@github.com/repo.git
or,
git config --global http.sslVerify false
git clone https://github.com/repo.git
As the most popular answer (by Alexey Vishentsev) has it:
The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.
However, that last assertion is false (now, or always has been, I don't know).
All you have to do is go to cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.
To clone on windows while setting SSL verify to false:
git -c http.sslVerify=false clone http://example.com/e.git
If you want to clone without borfing your global settings.
If all you want to do is just to use the Cygwin git client with github.com, there is a much simpler way without having to go through the hassle of downloading, extracting, converting, splitting cert files. Proceed as follows (I'm assuming Windows XP with Cygwin and Firefox)
- In Firefox, go to the github page (any)
- click on the github icon on the address bar to display the certificate
- Click through "more information" -> "display certificate" --> "details" and select each node in the hierarchy beginning with the uppermost one; for each of them click on "Export" and select the PEM format:
- GTECyberTrustGlobalRoot.pem
- DigiCertHighAssuranceEVRootCA.pem
- DigiCertHighAssuranceEVCA-1.pem
- github.com.pem
- Save the above files somewhere in your local drive, change the extension to .pem and move them to /usr/ssl/certs in your Cygwin installation (Windows: c:\cygwin\ssl\certs )
- (optional) Run c_reshash from the bash.
That's it.
Of course this only installs one cert hierarchy, the one you need for github. You can of course use this method with any other site without the need to install 200 certs of sites you don't (necessarily) trust.
On CentOS 5.x, a simple yum update openssl updated the openssl package which updated the system ca-bundle.crt file and fixed the problem for me.
The same may be true for other distributions.
Source: Stackoverflow.com