Git stopped working over SSL on Windows

Question

We have a new TFS 2017 server set up on-premises. My sysadmin set up https and generated a self-signed certificate. Everything works fine with Visual Studio's built-in git tools. When I try to do anything from the CLI, I get the following error: SSL certificate problem: unable to get local issuer certificate

What I have tried:

• Installed the certificate in the Trusted Root Certificate Authorities store on my client machine (it is also installed on the server). To install it, I simply double-clicked the .pfx file provided to me, entered the password, and chose the Trusted Root store.

• After some troubleshooting, I exported the local certificate as a Base-64 encoded x.509 (.CER) file, and appended it to ca-bundle.crt

• Double-checked my git config to ensure http.sslcainfo is pointed to the correct ca-bundle.crt file.

• Used openssl to connect to my server. This gives me two error messages: verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Created by Team Foundation Server, CN = my.company.com verify error:num=21:unable to verify the first certificate verify return:1 Certificate chain 0 s:/OU=Created by Team Foundation Server/CN=my.company.com i:/OU=Created by Team Foundation Server/CN=my.company.com

• Tried to use the CLI from other machines to connect over https, with the same results.

Update

Still no luck getting this working, but was curious if the fact that the self-signed certificate is signed with a private key would have anything to do with our issues.

Answer 1

It seems your issue is not TFS related, but your self-signed certificate cannot be verified. You can check the solution here:

Workaround

Tell git to not perform the validation of the certificate using the global option:

git config --global http.sslVerify false

Resolution

There are several ways this issue has been resolved previously:

A. Ensure the root cert is added to git.exe's certificate store as discussed here.

B. Tell Git where to find the CA bundle by running:

git config --system http.sslCAPath /absolute/path/to/git/certificates

or copying the CA bundle to the /bin directory and adding the following to the gitconfig file:

sslCAinfo = /bin/curl-ca-bundle.crt

C. Reinstalling Git.

D. Ensuring that the complete CA is present, including the root cert.

After solving the SSL issue, you may refer to the following case just in case you have Authentication issue in command line:

Using Git with TFS 2017 - Works in Visual studio but not Command Line