SSL certificate rejected trying to access GitHub over HTTPS behind firewall

2023-05-27

#git

Question

I'm stuck behind a firewall, so I have to use HTTPS to access my GitHub repository. I'm using Cygwin 1.7.7 on Windows XP.

I've tried setting the remote to https://[email protected]/username/ExcelANT.git, but pushing prompts for a password, but it doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repository from scratch, but each time it gives me the same error:

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

Turning on GIT_CURL_VERBOSE=1 gives me

* About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 * About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

Is this a problem with my firewall, Cygwin or what?

I hadn't set the HTTP proxy in the Git configuration. However, it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force Git to use NTLM, I'm scuppered.

Answer

The problem is that you do not have any of certificate authority (CA) certificates installed on your system. And these certificates cannot be installed with Cygwin's setup.exe.

Install Net/ca-certificates package in Cygwin (thanks dirkjot)

There are two solutions:

  1. Actually install root certificates. The curl guys extracted the certificates from Mozilla for you.

cacert.pem file is what you are looking for. This file contains more than 250 CA certificates (don't know how to trust this number of people). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With Cygwin setup.exe install the curl and OpenSSL packages.

Execute:

<!-- language: lang-bash -->

$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
  awk '{print &gt; "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash

Important: In order to use c_rehash you have to install openssl-perl too.

  1. Ignore SSL certificate verification.

    WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a man-in-the-middle attack. Be sure you fully understand the security issues and your threat model before using this as a solution.

    env GIT_SSL_NO_VERIFY=true git clone https://github...

In git, is there a simple way of introducing an unrelated branch to a repository?

GitLab remote: HTTP Basic: Access denied and fatal Authentication

©2023 hugo-notepadium-mod

CC BY-NC-SA 4.0 | RSS

Powered by Hugo and the Notepadium-mod

^ TOP ^