OS X: Git with client certificates rejected

Question

We access our Git server with client certificates by adding the following lines to ~/.gitconfig

[http]
        sslCAInfo = /path/to/git-ca.crt
        sslCert = /path/to/git-client.crt
        sslKey = /path/to/git-client.pem

This works fine on Linux, Windows and OS X <= 10.8 with exactly the same files. When I try it on OS X 10.10, I'm getting the following error:

bash-3.2$ git fetch
fatal: unable to access 'https://ourserver:12345/repository.git/': SSL: Can't load the certificate "/path/to/git-client.crt" and its private key: OSStatus -25299

The problem happens with git version 1.9.3 (Apple Git-50) as well as with git version 2.0.1.

Update After removing the corresponding item from the KeyChain, I'm getting following crash:

bash-3.2$ git fetch
2014-11-17 09:58:51.257 git-remote-https[2787:12194] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSPlaceholderArray initWithObjects:count:]: attempt to insert nil object from objects[0]'
*** First throw call stack:
(
    0   CoreFoundation                      0x00007fff9828164c __exceptionPreprocess + 172
    1   libobjc.A.dylib                     0x00007fff8f91c6de objc_exception_throw + 43
    2   CoreFoundation                      0x00007fff98125068 -[__NSPlaceholderArray initWithObjects:count:] + 360
    3   CoreFoundation                      0x00007fff98124a2d CFArrayCreate + 141
    4   libcurl.4.dylib                     0x00007fff8f75169e darwinssl_connect_common + 2089
    5   libcurl.4.dylib                     0x00007fff8f75073a Curl_ssl_connect_nonblocking + 36
    6   libcurl.4.dylib                     0x00007fff8f719673 Curl_http_connect + 77
    7   libcurl.4.dylib                     0x00007fff8f727977 Curl_protocol_connect + 129
    8   libcurl.4.dylib                     0x00007fff8f739cef multi_runsingle + 799
    9   libcurl.4.dylib                     0x00007fff8f73993d curl_multi_perform + 170
    10  git-remote-https                    0x0000000109815c8a step_active_slots + 25
    11  git-remote-https                    0x0000000109815cfb run_active_slot + 77
    12  git-remote-https                    0x0000000109817621 http_request + 459
    13  git-remote-https                    0x0000000109816148 http_request_reauth + 34
    14  git-remote-https                    0x0000000109813f76 discover_refs + 476
    15  git-remote-https                    0x00000001098131e4 main + 1556
    16  libdyld.dylib                       0x00007fff94bd25c9 start + 1
    17  ???                                 0x0000000000000003 0x0 + 3
)
libc++abi.dylib: terminating with uncaught exception of type NSException

After this crash, the certificate entry has reoccurred in the Keychain. The strange thing is, that on OS X 10.8 nothing will be added to my Keychain while fetching from the repository.

Update 2 When I try the same on OS X 10.9, I'm getting following error:

bash-3.2$ git fetch
fatal: unable to access 'https://ourserver:12345/repository.git/': SSL certificate problem: Invalid certificate chain

Update 3 I can successfully connect with openssl using these certificates, even on OS X 10.9:

bash-3.2$ openssl s_client -connect ourserver:12345 -cert /path/to/git-client.crt -key /path/to/git-client.pem
CONNECTED(00000003)
depth=1 /C=de/O=companyca/CN=internal-ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=de/O=companyserv/CN=smart
   i:/C=de/O=companyca/CN=internal-ca
 1 s:/C=de/O=companyca/CN=internal-ca
   i:/C=de/O=companyca/CN=internal-ca
---
Server certificate
...
<----------------------snip---------------------->
...
---
SSL handshake has read 2348 bytes and written 1360 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E5873AF43D24CEE6529178B4EFD7FE3368711DF1BFBC6CA89C50F8D39DE0B014
    Session-ID-ctx: 
    Master-Key: <**********>
    Key-Arg   : None
    Start Time: 1416486728
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

The problem looks similar to this one for GitHub, but we are using self-signed certificates.

Answer 1

It looks like you are facing the same problem as in this docker issue where they conclude it's likely a bug in OSX curl.

In some other post they suggest, that this could be caused by certificate serial number either being 1 or being too large to fit in 32 bits.

On your OS X 10.9 case, I think "Invalid Certificate" should be solved by adding the certificate to system key chain as trusted (discussed in this question).

This post describes some changes in OS X curl, which seem to be related. In my understanding, it might be solution to switch to different curl implementation (but likely that only could work if git would also be installed using brew).