I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).
The server that runs Gitblit is named itscm
and on the developer's desktop I am using this URL to push data via TortoiseGit:
git.exe push --progress "https://itscm:8234/git/TestRepo.git" master
However, I get this error:
fatal: unable to access 'https://itscm:8234/git/TestRepo.git/': SSL certificate problem: self signed certificate in certificate chain
When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don't understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.
Prepend GIT_SSL_NO_VERIFY=true before every git command run to skip SSL verification. This is particularly useful if you haven't checked out the repository yet. Run git config http. sslVerify false to disable SSL verification if you're working with a checked out repository already.
When pushing, pulling, or cloning, Git cannot verify your SSL certification, which leads to the error. A valid HTTPS handshake requires both the client and the server to create a secure connection, allowing for safe communication between your local machine and where the source code is hosted.
Git for Windows has its own trust store of trusted certificates which is normally located in the file
[Git installdir]\bin\curl-ca-bundle.crt
(e.g., C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt
; configured by the key http.sslCAinfo
in [Git installdir]\etc\gitconfig
).[Git installdir]\mingwXX\ssl\certs\ca-bundle.crt
where XX
stands for 32
or 64
(e.g., C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
; configured by the key http.sslCAinfo
in git config, e.g. C:\Program Files\Git\etc
or your global/local config).Disabling checking of certificates (e.g., by setting git config http.sslVerify false
) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible - depending where this is set it applies for all new https connections).
In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):
Open the URL of the site in Microsoft Edge
Click on the lock symbol in the local bar and choose "Connection is safe" and then click on the certificate symbol.
(Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it
Go to the second tab "Details"
Click on "Save to file", choose "Base64-encoded X.509 (.CER)" and save it with a unique name (remember that name; a name w/o spaces is recommended).
Now you have several options
git config --global http.sslCAinfo "[yourfilename]"
in a cli shell in order to only use this certificate as the trust store.git config --global http.sslCAinfo "[yourfilename]"
in a cli shell in order to use this new trust store.[path-to-git-trust-store-crt-file]
(e.g. by type [yourfilename] >> [path-to-git-trust-store-crt-file]
in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git updateDone. Now, this certificate is in the trust store of Git for Windows.
Recent versions of Git for Windows can use also Windows certificate store which might be more convenient in a corporate environment. This can be configured on installation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With