SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Question

I m stuck behind a firewall so have to use HTTPS to access my GitHub repository  I m using cygwin 1 7 7 on Windows XP   I ve tried setting the remote to https   username github com username ExcelANT git  but pushing prompts for a password  but doesn t do anything once I ve entered it  https   username  lt password gt github com username ExcelANT git and cloning the empty repo from scratch but each time it gives me the same error     error  SSL certificate problem  verify that the CA cert is OK  Details    error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed while accessing https   github com username ExcelANT git info refs   Turning on GIT CURL VERBOSE 1 gives me       About to connect   to github com port 443   0        Trying 207 97 227 239      successfully set certificate verify locations        CAfile  none     CApath   usr ssl certs     SSL certificate problem  verify that the CA cert is OK  Details    error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed     Expire cleared     Closing connection  0     About to connect   to github com port 443   0        Trying 207 97 227 239      successfully set certificate verify locations        CAfile  none     CApath   usr ssl certs     SSL certificate problem  verify that the CA cert is OK  Details    error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed     Expire cleared     Closing connection  0   error  SSL certificate problem  verify that the CA cert is OK  Details    error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed while accessing https   github com username ExcelANT git info refs   fatal  HTTP request failed   Is this a problem with my firewall  cygwin or what   I hadn t set the HTTP proxy in the Git config  however it s an ISA server that needs NTLM authentication  not basic  so unless anyone knows how to force git to use NTLM  I m scuppered

User · Answer

on a rasbery pi i had   pi raspbmc    git clone http      github com andreafabrizi Dropbox-Uploader   git Cloning into  Dropbox-Uploader     error  Problem with the SSL CA cert  path  access rights   while accessing http     github com andreafabrizi Dropbox-Uploader git info refs fatal  HTTP request failed  so id a   sudo apt-get install ca-certificates   then  git clone http   github com andreafabrizi Dropbox-Uploader git     worked

User · Answer

Generate the access token from Github and save it  as it will not appear again    git -c http sslVerify false clone https    lt username gt   lt token gt  github com repo git   or    git config --global http sslVerify false git clone https   github com repo git

User · Answer

I recently  Jul 2014  had a similar issue and found on OS X  10 9 4  that there was a  DigiCert High Assurance EV Root CA  certificate had expired  although I had another unexpired one as well     Open Keychain Access search Certificates for  DigiCert  View menu   Show Expired Certificates   I found two certificates named  DigiCert High Assurance EV Root CA   one expiring Nov 2031 and the expired one at July 2014  a few of days previously   Deleting the expired certificate resolved the issue for me   Hope this helps

User · Answer

Try using a  netrc file  it will authenticate over https  Create a file call  netrc in your home directory and put this in it   machine github com login myusername password mypass   See this post for more info    https   plus google com u 0 104462765626035447305 posts WbwD4zcm2fj

User · Answer

I fixed this problem using apt-cyg  a great installer similar to apt-get  to easily download the ca-certificates  including Git and many more    apt-cyg install ca-certificates   Note  apt-cyg should be first installed  You can do this from Windows command line   cd c  cygwin setup exe -q -P wget tar qawk bzip2 subversion vim   Close Windows cmd  and open Cygwin Bash   wget rawgit com transcode-open apt-cyg master apt-cyg install apt-cyg  bin

User · Answer

I know the original question lists Cygwin  but here is the solution for CentOS    curl http   curl haxx se ca cacert pem -o  etc pki tls certs ca-bundle crt   Source  http   eric lubow org 2011 security fixing-centos-root-certificate-authority-issues

User · Answer

I needed two things    go to cygwin setup and include the package  ca-certificates   it is under Net    as indicated elsewhere   Tell git where to find the installed certificates     GIT SSL CAINFO  usr ssl certs ca-bundle crt  GIT CURL VERBOSE 1 git       Verbose option is not needed   Or storing the option permanently   git config --global http sslCAinfo  usr ssl certs ca-bundle crt  git

User · Answer

On a Mac OSX 10 5 system  I was able to get this to work with a simple method  First  run the github procedures and the test  which worked ok for me  showing  that my certificate was actually ok  https   help github com articles generating-ssh-keys  ssh -T git github com   Then I finally noticed yet another url format for remotes  I tried the others  above and they didn t work   http   git-scm com book ch2-5 html  git github com MyGithubUsername MyRepoName git   A simple  git push myRemoteName  worked great

User · Answer

Note  disabling SSL verification has security implications  It allows Man in the Middle attacks when you use Git to transfer data over a network  Be sure you fully understand the security implications before using this as a solution  Or better yet  install the root certificates   One way is to disable the SSL CERT verification   git config --global http sslVerify false   This will prevent CURL to verity the HTTPS certification    For one repository only    git config http sslVerify false

User · Answer

Improve RouMao s solution by temporarily disabling GIT curl ssl verification in Windows cmd   set GIT SSL NO VERIFY true git config --global http proxy http    lt your-proxy gt  443   The good thing about this solution is that it only takes effect in the current cmd window

User · Answer

I encountered the same problem to configure Git on a collaborative development platform that I have to manage   To solve it     I ve Updated the release of Curl installed on the server  Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl Get back the certificate of the authority which delivers the certificate for the server  Add this certificate to the CAcert file used by curl  On my server it is located in  etc pki tls certs ca-bundle crt   Configure git to use this certificate file by editing the  gitconfig file and set the sslcainfo path  sslcainfo   etc pki tls certs ca-bundle crt On the client machine you must get the certificate and configure the  gitconfig file too     I hope this will help some of you

User · Answer

A very simple solution  replace https    with git     Use git   the repository instead of https   the repository and will work    I ve had this problem on Windows with TortoiseGit and this solved it

User · Answer

I had the same issue  Certificate import or command to unset ssl verification didn t work  It turn out to be expired password for network proxy  There was entry of proxy config  in the  gitconfig file present in my windows user profile  I just removed the whole entry and it started working again

User · Answer

On CentOS 5 x  a simple yum update openssl updated the openssl package which updated the system ca-bundle crt file and fixed the problem for me   The same may be true for other distributions

User · Answer

If you re on Mac OS X  you can install the ca-cert-bundle via homebrew     brew install curl-ca-bundle   git config --system http sslcainfo  usr local share ca-bundle crt   The formula installs the cert bundle to your share via   share install  ca-bundle crt    The share method is just an alias to  usr local share  and the curl-ca-bundle is provided by Mozilla  It s what you see being referenced in a lot of issues  Hope this helps as it s not very straightforward about how to approach this on Mac OS X  brew install curl isn t going to get you much either as it s keg only and will not be linked  running which curl will always output  usr bin curl  which is the default that ships with your OS   This post may also be of some value   You ll of course need to disable SSL before you install homebrew since it s a git repo  Just do what curl says when it errors out during SSL verification and     echo insecure  gt  gt     curlrc   Once you get homebrew installed along with the curl-ca-bundle  delete  curlrc and try cloning a repo out on github  Ensure that there are no errors and you ll be good to go   NOTE  If you do resort to  curlrc  please remove it from your system the moment you re done testing  This file can cause major issues  so use it for temporary purposes and with caution  brew doctor will complain in case you forget to purge it from your system    NOTE  If you update your version of git  you ll need to rerun this command since your system settings will be wiped out  they re stored relative to the git binary based on version    So after running     brew update   brew upgrade   If you get a new version of git  then just rerun     git config --system http sslcainfo  usr local share ca-bundle crt   And you ll be all set   Lastly if you have a new version of git  running     git config -l --system   should give you an error along the lines of  fatal  unable to read config file   usr local Cellar git 1 8 2 2 etc gitconfig   that s your tip that you need to tell git where the Mozilla ca-bundle is   UPDATE    curlrc may or may not be the remedy to your problem  In any case  just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not  That s what s important here  Once you get the ca-bundle  you re good to go  Just run the git config command and point git to the the ca-bundle   UPDATE  I recently had to add   export CURL CA BUNDLE  usr local share ca-bundle crt to my  zshenv dot file since I m using zsh  the git config option worked for most cases  but when hitting github over SSL  rvm get stable for example   I still ran into certificate issues   Maverick pointed this out in his comment  but just in case someone misses it or assumes they don t necessarily need to export this environment variable in addition to running the git config --system     command  Thanks and hope this helps   UPDATE  It looks like the curl-ca-bundle was recently removed from homebrew  There is a recommendation here   You will want to drop some files into     brew --prefix  etc openssl certs

User · Answer

You can try this command in the Terminal        git config --global http sslVerify false

User · Answer

Note that for me to get this working  RVM install on CentOS 5 6   I had to run the following   export GIT SSL NO VERIFY true  and after that  the standard install procedure for curling the RVM installer into bash worked a treat

User · Answer

I needed the certificates just for Cygwin and git so I did what  esquifit posted  However  I had to run step 5 manually  c rehash was not available on my system  I followed this guide  Installing CA Certificates into the OpenSSL framework instead

User · Answer

As the most popular answer  by Alexey Vishentsev  has it      The problem is that you do not have any of Certification Authority   certificates installed on your system  And these certs cannot be   installed with cygwin s setup exe    However  that last assertion is false  now  or always has been  I don t know      All you have to do is go to cygwin setup and include the package  ca-certificates   it is under Net    This did the trick for me

User · Answer

I ve been having this same problem for Solaris Express 11   It took me a while but I managed to find where the certificates needed to be placed   According to  etc openssl openssl cnf  the path for certificates is  etc openssl certs   I placed the certificates generated using the above advice from Alexey   You can verify that things are working using openssl on the commandline   openssl s client -connect github com 443

User · Answer

For those use Msys MinGW GIT  add this    export GIT SSL CAINFO  mingw32 ssl certs ca-bundle crt

User · Answer

Feel free to skip past this answer if you want to fix the certificates issue  This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall proxy thingies   There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh github com server   We use a tool called corkscrew  This is available for both CygWin  through setup from the cygwin homepage  and Linux using your favorite packaging tool  For MacOSX it is available from macports and brew at least   The commandline is as follows      corkscrew  lt proxyhost gt   lt proxyport gt   lt targethost gt   lt targetport gt   lt authfile gt    The proxyhost and proxyport are the coordinates of the https proxy  The targethost and targetport is the location of the host to tunnel to  The authfile is a textfile with 1 line containing your proxy server username password separated by a colon  e g   abc very secret   Installation for using  normal  ssh protocol for git communication  By adding this to the    ssh config this trick can be used for normal ssh connections   Host github com   HostName ssh github com   Port 443   User git   ProxyCommand corkscrew  lt proxyhost gt   lt proxyport gt   h  p    ssh proxy auth   now you can test it works by ssh-ing to gitproxy  pti pti-laptop    ssh github com PTY allocation request failed on channel 0 Hi ptillemans  You ve successfully authenticated  but GitHub does not provide shell access         Connection to github com closed  pti pti-laptop       Note  if you never logged in to github before  ssh will be asking to add the server key to the known hosts file  If you are paranoid  it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key    A slight variant on this method is the case when you need to access a repository with another key  e g  to separate your private account from your professional account         account dedicated for the ACME private github account    Host acme github com   User git   HostName ssh github com   Port 443   ProxyCommand corkscrew  lt proxyhost gt   lt 3128 gt   h  p    ssh proxy auth   IdentityFile    ssh id dsa acme   enjoy   We ve been using this for years now on both Linux  Macs and Windows   If you want you can read more about it in this blog post

User · Answer

If you used debian-based OS  you can simply run     apt-get install ca-certificates

User · Answer

I tried everything  eventually I looked in the hosts file and there was a random entry there for github  Removing the alias fixed the problem   systemroot  system32 drivers etc hosts

User · Answer

The problem is that you do not have any of Certification Authority certificates installed on your system  And these certs cannot be installed with cygwin s setup exe   Update  Install Net ca-certificates package in cygwin  thanks dirkjot    There are two solutions    Actually install root certificates  Curl guys extracted for you certificates from Mozilla    cacert pem file is what you are looking for  This file contains   250 CA certs  don t know how to trust this number of ppl   You need to download this file  split it to individual certificates put them to  usr ssl certs  your CApath  and index them    Here is how to do it  With cygwin setup exe install curl and openssl packages execute     cd  usr ssl certs   curl http   curl haxx se ca cacert pem     awk   print  gt   cert   1 n    pem    -----END CERTIFICATE-----   n       c rehash   Important  In order to use c rehash you have to install openssl-perl too  Ignore SSL certificate verification   WARNING  Disabling SSL certificate verification has security implications  Without verification of the authenticity of SSL HTTPS connections  a malicious attacker can impersonate a trusted endpoint  such as GitHub or some other remote Git host   and you ll be vulnerable to a Man-in-the-Middle Attack  Be sure you fully understand the security issues and your threat model before using this as a solution     env GIT SSL NO VERIFY true git clone https   github

User · Answer

I simply disabled the SSL certificate authentication and used the simple user name password login as shown below

User · Answer

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses   Here s how to have Git use a specific file in my home directory  mkdir   certs curl https   curl haxx se ca cacert pem -o   certs cacert pem  Now update  gitconfig to use this for peer verification   http  sslCAinfo    home radium certs cacert pem  Note I m using an absolute path   Git does no path expansion here  so you can t use   without an ugly kludge   Alternatively  you can skip the config file and set the path via the environment variable GIT SSL CAINFO instead  To troubleshoot this  set GIT CURL VERBOSE 1   The path of the CA file Git is using will be shown on lines starting with  quot CAfile  quot  in the output  Edited to change from http to https

User · Answer

To clone on windows while setting SSL verify to false       git -c http sslVerify false clone http   example com e git   If you want to clone without borfing your global settings

User · Answer

If all you want to do is just to use the Cygwin git client with github com  there is a much simpler way without having to go through the hassle of downloading  extracting  converting  splitting cert files  Proceed as follows  I m assuming Windows XP with Cygwin and Firefox    In Firefox  go to the github page  any  click on the github icon on the address bar to display the certificate Click through  more information  -   display certificate  --   details  and select each node in the hierarchy beginning with the uppermost one  for each of them click on  Export  and select the PEM format   GTECyberTrustGlobalRoot pem  DigiCertHighAssuranceEVRootCA pem DigiCertHighAssuranceEVCA-1 pem github com pem  Save the above files somewhere in your local drive  change the extension to  pem and move them to  usr ssl certs in your Cygwin installation  Windows  c  cygwin ssl certs    optional  Run c reshash from the bash     That s it   Of course this only installs one cert hierarchy  the one you need for github  You can of course use this method with any other site without the need to install 200 certs of sites you don t  necessarily  trust

User · Answer

Have you checked your time   I absolutely refused to make my git operations insecure and after trying everything people mentioned here  it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong  either the certificate expiry date  or the local clock    You can check this easily by typing date in a terminal  In my case  a new raspberry Pi   the local clock was set to 1970  so a simple ntpdate -u 0 ubuntu pool ntp org fixed everything  For a rPi  I would also recommend that you put the following script in a daily cron job  say  etc cron daily ntpdate       bin sh  usr sbin ntpdate -u 0 ubuntu pool ntp org 1 gt   dev null 2 gt  amp 1

[git] SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Examples related to git

Examples related to ssl

Examples related to github

Examples related to cygwin

Examples related to ssl-certificate