git - SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.

We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.

The commandline is as follows :

$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon

e.g:

abc:very_secret

Installation for using "normal" ssh protocol for git communication

By adding this to the ~/.ssh/config this trick can be used for normal ssh connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

now you can test it works by ssh-ing to gitproxy

pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.
pti@pti-laptop:~$

(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, e.g. to separate your private account from your professional account.

# 
# account dedicated for the ACME private github account 
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

1. Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

   cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

   Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

   $ cd /usr/ssl/certs
   $ curl http://curl.haxx.se/ca/cacert.pem |
     awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
   $ c_rehash
   

   Important: In order to use c_rehash you have to install openssl-perl too.

2. Ignore SSL certificate verification.

   WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.

   $ env GIT_SSL_NO_VERIFY=true git clone https://github...
   

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

One way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only:

git config http.sslVerify false

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfig to use this for peer verification:

[http]
sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

Edited to change from http to https.

Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:

export GIT_SSL_NO_VERIFY=true

and after that, the standard install procedure for curling the RVM installer into bash worked a treat :)

A very simple solution: replace https:// with git://

Use git://the.repository instead of https://the.repository and will work.

I've had this problem on Windows with TortoiseGit and this solved it.

As the most popular answer (by Alexey Vishentsev) has it:

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

However, that last assertion is false (now, or always has been, I don't know).

All you have to do is go to cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.

To clone on windows while setting SSL verify to false:

    git -c http.sslVerify=false clone http://example.com/e.git

If you want to clone without borfing your global settings.

I know the original question lists Cygwin, but here is the solution for CentOS:

curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Source: http://eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/

On CentOS 5.x, a simple yum update openssl updated the openssl package which updated the system ca-bundle.crt file and fixed the problem for me.

The same may be true for other distributions.

If all you want to do is just to use the Cygwin git client with github.com, there is a much simpler way without having to go through the hassle of downloading, extracting, converting, splitting cert files. Proceed as follows (I'm assuming Windows XP with Cygwin and Firefox)

1. In Firefox, go to the github page (any)
2. click on the github icon on the address bar to display the certificate
3. Click through "more information" -> "display certificate" --> "details" and select each node in the hierarchy beginning with the uppermost one; for each of them click on "Export" and select the PEM format:
   • GTECyberTrustGlobalRoot.pem
   • DigiCertHighAssuranceEVRootCA.pem
   • DigiCertHighAssuranceEVCA-1.pem
   • github.com.pem
4. Save the above files somewhere in your local drive, change the extension to .pem and move them to /usr/ssl/certs in your Cygwin installation (Windows: c:\cygwin\ssl\certs )
5. (optional) Run c_reshash from the bash.

That's it.

Of course this only installs one cert hierarchy, the one you need for github. You can of course use this method with any other site without the need to install 200 certs of sites you don't (necessarily) trust.

You can try this command in the Terminal:

git config --global http.sslVerify false

If you're on Mac OS X, you can install the ca-cert-bundle via homebrew:

$ brew install curl-ca-bundle
$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

The formula installs the cert bundle to your share via:

share.install 'ca-bundle.crt'

The share method is just an alias to /usr/local/share, and the curl-ca-bundle is provided by Mozilla. It's what you see being referenced in a lot of issues. Hope this helps as it's not very straightforward about how to approach this on Mac OS X. brew install curl isn't going to get you much either as it's keg only and will not be linked (running which curl will always output /usr/bin/curl, which is the default that ships with your OS). This post may also be of some value.

You'll of course need to disable SSL before you install homebrew since it's a git repo. Just do what curl says when it errors out during SSL verification and:

$ echo insecure >> ~/.curlrc

Once you get homebrew installed along with the curl-ca-bundle, delete .curlrc and try cloning a repo out on github. Ensure that there are no errors and you'll be good to go.

NOTE: If you do resort to .curlrc, please remove it from your system the moment you're done testing. This file can cause major issues, so use it for temporary purposes and with caution. brew doctor will complain in case you forget to purge it from your system).

NOTE: If you update your version of git, you'll need to rerun this command since your system settings will be wiped out (they're stored relative to the git binary based on version).

So after running:

$ brew update
$ brew upgrade

If you get a new version of git, then just rerun:

$ git config --system http.sslcainfo /usr/local/share/ca-bundle.crt

And you'll be all set.

Lastly if you have a new version of git, running:

$ git config -l --system

should give you an error along the lines of

fatal: unable to read config file '/usr/local/Cellar/git/1.8.2.2/etc/gitconfig'

that's your tip that you need to tell git where the Mozilla ca-bundle is.

UPDATE:

.curlrc may or may not be the remedy to your problem. In any case, just get the Mozilla ca-bundle installed on your machine whether you have to manually download it or not. That's what's important here. Once you get the ca-bundle, you're good to go. Just run the git config command and point git to the the ca-bundle.

UPDATE

I recently had to add:

export CURL_CA_BUNDLE=/usr/local/share/ca-bundle.crt to my .zshenv dot file since I'm using zsh. the git config option worked for most cases, but when hitting github over SSL (rvm get stable for example), I still ran into certificate issues. @Maverick pointed this out in his comment, but just in case someone misses it or assumes they don't necessarily need to export this environment variable in addition to running the git config --system.... command. Thanks and hope this helps.

UPDATE

It looks like the curl-ca-bundle was recently removed from homebrew. There is a recommendation here.

You will want to drop some files into:

$(brew --prefix)/etc/openssl/certs

I've been having this same problem for Solaris Express 11. It took me a while but I managed to find where the certificates needed to be placed. According to /etc/openssl/openssl.cnf, the path for certificates is /etc/openssl/certs. I placed the certificates generated using the above advice from Alexey.

You can verify that things are working using openssl on the commandline:

openssl s_client -connect github.com:443

I fixed this problem using apt-cyg (a great installer similar to apt-get) to easily download the ca-certificates (including Git and many more):

apt-cyg install ca-certificates

Note: apt-cyg should be first installed. You can do this from Windows command line:

cd c:\cygwin
setup.exe -q -P wget,tar,qawk,bzip2,subversion,vim

Close Windows cmd, and open Cygwin Bash:

wget rawgit.com/transcode-open/apt-cyg/master/apt-cyg
install apt-cyg /bin

If you used debian-based OS, you can simply run

apt-get install ca-certificates

on a rasbery pi i had

pi@raspbmc:~$ git clone http: //github.com/andreafabrizi/Dropbox-Uploader .git Cloning into 'Dropbox-Uploader'... error: Problem with the SSL CA cert (path? access rights?) while accessing http:// github.com/andreafabrizi/Dropbox-Uploader.git/info/refs fatal: HTTP request failed

so id a

sudo apt-get install ca-certificates

then

git clone http://github.com/andreafabrizi/Dropbox-Uploader.git  

worked

Generate the access token from Github and save it, as it will not appear again.

git -c http.sslVerify=false clone https://<username>:<token>@github.com/repo.git

or,

git config --global http.sslVerify false
git clone https://github.com/repo.git

Try using a .netrc file, it will authenticate over https. Create a file call .netrc in your home directory and put this in it:

machine github.com login myusername password mypass

See this post for more info:

https://plus.google.com/u/0/104462765626035447305/posts/WbwD4zcm2fj

Improve RouMao's solution by temporarily disabling GIT/curl ssl verification in Windows cmd:

set GIT_SSL_NO_VERIFY=true
git config --global http.proxy http://<your-proxy>:443

The good thing about this solution is that it only takes effect in the current cmd window.

Have you checked your time?

I absolutely refused to make my git operations insecure and after trying everything people mentioned here, it struck me that one possible cause why certificates fail to pass verification is that the dates are wrong (either the certificate expiry date, or the local clock).

You can check this easily by typing date in a terminal. In my case (a new raspberry Pi), the local clock was set to 1970, so a simple ntpdate -u 0.ubuntu.pool.ntp.org fixed everything. For a rPi, I would also recommend that you put the following script in a daily cron job (say /etc/cron.daily/ntpdate):

#!/bin/sh
/usr/sbin/ntpdate -u 0.ubuntu.pool.ntp.org 1> /dev/null 2>&1

I encountered the same problem to configure Git on a collaborative development platform that I have to manage.

To solve it :

• I've Updated the release of Curl installed on the server. Download the last version on the website Download page of curland follow the installation proceedings Installation proceedings of curl

• Get back the certificate of the authority which delivers the certificate for the server.

• Add this certificate to the CAcert file used by curl. On my server it is located in /etc/pki/tls/certs/ca-bundle.crt.

• Configure git to use this certificate file by editing the .gitconfig file and set the sslcainfo path. sslcainfo= /etc/pki/tls/certs/ca-bundle.crt

• On the client machine you must get the certificate and configure the .gitconfig file too.

I hope this will help some of you.

I tried everything, eventually I looked in the hosts file and there was a random entry there for github. Removing the alias fixed the problem

%systemroot%\system32\drivers\etc\hosts

I simply disabled the SSL certificate authentication and used the simple user name password login as shown below

I needed the certificates just for Cygwin and git so I did what @esquifit posted. However, I had to run step 5 manually, c_rehash was not available on my system. I followed this guide: Installing CA Certificates into the OpenSSL framework instead.

I needed two things:

1. go to cygwin setup and include the package 'ca-certificates' (it is under Net) (as indicated elsewhere).

2. Tell git where to find the installed certificates:

   GIT_SSL_CAINFO=/usr/ssl/certs/ca-bundle.crt GIT_CURL_VERBOSE=1 git ...

   (Verbose option is not needed)

   Or storing the option permanently:

   git config --global http.sslCAinfo /usr/ssl/certs/ca-bundle.crt

   git ...

I had the same issue. Certificate import or command to unset ssl verification didn't work. It turn out to be expired password for network proxy. There was entry of proxy config. in the .gitconfig file present in my windows user profile. I just removed the whole entry and it started working again.

On a Mac OSX 10.5 system, I was able to get this to work with a simple method. First, run the github procedures and the test, which worked ok for me, showing that my certificate was actually ok. https://help.github.com/articles/generating-ssh-keys

ssh -T [email protected]

Then I finally noticed yet another url format for remotes. I tried the others, above and they didn't work. http://git-scm.com/book/ch2-5.html

[email protected]:MyGithubUsername/MyRepoName.git

A simple "git push myRemoteName" worked great!

I recently (Jul 2014) had a similar issue and found on OS X (10.9.4) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).

1. Open Keychain Access
2. search Certificates for "DigiCert"
3. View menu > Show Expired Certificates

I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.

Hope this helps.

For those use Msys/MinGW GIT, add this

  export GIT_SSL_CAINFO=/mingw32/ssl/certs/ca-bundle.crt