Self signed certificate in certificate chain with GitHub

1
votes

I had a problem where Fortigate's CA was mysteriously removed from Windows 10, and GitHub appears to use Fortigate for SSL, so it basically stopped working, across all applications (including web browsers). I reinstalled the CA, and now it works in browsers etc., but not in git.

I keep getting:

SSL certificate problem: self signed certificate in certificate chain

Doing basic things like restarting git, related services etc. does not help. I tried running:

GIT_SSL_CAINFO=/path/to/certificate.pem

Within git bash itself, it's not verbose so I can't really tell if it does anything (although no error is given, so at least the command runs?).

Is there a way to "refresh" git to recognize the existing CAs installed in Windows, or force it to recognize a specific CA?

1
gitgithubssl-certificate
I don't think that GitHub uses Fortigate for SSL. You most likely have Fortigate in your organization and this FW uses SSL inspection. Therefore you see Fortigate CA as issuer of github.com.pepo
That thought hadn't occurred to me, but it makes sense. Is there a way to resolve such issues though regardless of who/what the authority is?Ynhockey
It may be an issue with HPKPNils Werner

1 Answers

0
votes

Figured it out, hopefully this solution is not temporary (works so far):

There is an accepted certificate file in Git itself with authorities it accepts, in (change to your Git install dir):

%ProgramFiles%\Git\mingw64\ssl\certs

It's possible to paste the relevant certificate at the end of: ca-bundle.crt. This seems to resolve the problem immediately.