1
votes

I had a problem where Fortigate's CA was mysteriously removed from Windows 10, and GitHub appears to use Fortigate for SSL, so it basically stopped working, across all applications (including web browsers). I reinstalled the CA, and now it works in browsers etc., but not in git.

I keep getting:

SSL certificate problem: self signed certificate in certificate chain

Doing basic things like restarting git, related services etc. does not help. I tried running:

GIT_SSL_CAINFO=/path/to/certificate.pem

Within git bash itself, it's not verbose so I can't really tell if it does anything (although no error is given, so at least the command runs?).

Is there a way to "refresh" git to recognize the existing CAs installed in Windows, or force it to recognize a specific CA?

1
I don't think that GitHub uses Fortigate for SSL. You most likely have Fortigate in your organization and this FW uses SSL inspection. Therefore you see Fortigate CA as issuer of github.com. - pepo
That thought hadn't occurred to me, but it makes sense. Is there a way to resolve such issues though regardless of who/what the authority is? - Ynhockey
It may be an issue with HPKP - Nils Werner

1 Answers

0
votes

Figured it out, hopefully this solution is not temporary (works so far):

There is an accepted certificate file in Git itself with authorities it accepts, in (change to your Git install dir):

%ProgramFiles%\Git\mingw64\ssl\certs

It's possible to paste the relevant certificate at the end of: ca-bundle.crt. This seems to resolve the problem immediately.