I am using git on Windows. I installed the msysgit package. My test repository has a self signed certificate at the server. I can access and use the repository using http without problems. Moving to https gives the error "SSL Certificate problem: unable to get local issuer certificate".
I have the self signed certificate installed in the Trusted Root Certification Authorities of my Windows 7 - client machine. I can browse to the https repository url in Internet Explorer with no error messages.
This blog http://blogs.msdn.com/b/phkelley/archive/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exe-s-store.aspx explained that curl does not use the client machine's certificate store. I followed the blog post's advice to create a private copy of curl-ca-bundle.crt and configure git to use it. I am sure git is using my copy. If I rename the copy; git complains the file is missing.
I pasted in my certificate, as mentioned in the blog post, I still get the message "unable to get local issuer certificate".
I verified that git was still working by cloning a GitHub Repository via https.
The only thing I see that's different to the blog post is that my certificate IS the root - there is no chain to reach it. My certificate originally came from clicking the IIS8 IIS Manager link 'Create Self Signed Certificate'. Maybe that makes a certificate different in some way to what curl expects.
How can I get git/curl to accept the self signed certificate?
Open Git Bash and run the command if you want to completely disable SSL verification.
git config --global http.sslVerify false
Note: This solution may open you to attacks like man-in-the-middle attacks. Therefore turn on verification again as soon as possible:
git config --global http.sslVerify true
I had this issue as well. In my case, I was trying to get a post-receive Git hook to update a working copy on a server with each push. Tried to follow the instructions in the blog you linked to. Didn't work for me as well and overriding the settings on a per-user basis didn't seem to work either.
What I ended up having to do was disable SSL verification (as the article mentions) for Git as a whole. Not the perfect solution, but it'll work until I can figure out a better one.
I edited the Git config text file (with my favorite line-ending neutral app like Notepad++) located at:
C:\Program Files (x86)\Git\etc\gitconfig
In the [http] block, I added an option to disable sslVerify. It looked like this when I was done:
[http]
sslVerify = false
sslCAinfo = /bin/curl-ca-bundle.crt
That did the trick.
NOTE: This disables SSL verification and is not recommended as a long term solution.
The problem is that git by default using the "Linux" crypto backend.
Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. This means that you it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v=vs.85).aspx
Just execute:
git config --global http.sslbackend schannel
That should helps.
Using schannel is by now the standard setting when installing git for windows, also it is recommended to not checkout repositories by SSH anmore if possible, as https is easier to configure and less likely to be blocked by a firewall it means less chance of failure.
kiddailey I think was pretty close, however I would not disable ssl verification but rather rather just supply the local certificate:
In the Git config file
[http]
sslCAinfo = /bin/curl-ca-bundle.crt
Or via command line:
git config --global http.sslCAinfo /bin/curl-ca-bundle.crt
The answer to this question Using makecert for Development SSL fixed this for me.
I do not know why, but the certificate created by the simple 'Create Self Signed Certificate' link in IIS Manager does not do the trick. I followed the approach in the linked question of creating and installing a self-signed CA Root; then using that to issue a Server Authentication Certificate for my server. I installed both of them in IIS.
That gets my situation the same as the blog post referenced in the original question. Once the root certificate was copy/pasted into curl-ca-bundle.crt the git/curl combo were satisfied.
I faced this issue as well. And finally got resolved by getting guidance from this MSDN Blog.
Update
Actually you need to add the certificate in git's certificates file curl-ca-bundel.cert that resides in Git\bin directory.
Steps
- Open your github page in browser, and click over lock icon in address bar.
- In the opened little popup up navigate to 'view certificate' link, it will open a popup window.
- In which navigate to certificates tab (3rd in my case). Select the top node that is root certificate. And press copy certificate button in the bottom and save the file.
- In file explorer navigate Git\bin directory and open curl-ca-bundle.crt in text editor.
- Open the exported certificate file (in step 3) in text editor as well.
- Copy all of the content from exported certificate to the end of curl-ca-bundle.crt, and save.
Finally check the status. Please note that backup curl-ca-bundle.crt file before editing to remain on safe side.
To avoid disabling ssl verification entirely or duplicating / hacking the bundled CA certificate file used by git, you can export the host's certificate chain into a file, and make git use it:
git config --global http.https://the.host.com/.sslCAInfo c:/users/me/the.host.com.cer
If that does not work, you can disable ssl verification only for the host:
git config --global http.https://the.host.com/.sslVerify false
Note : Subjected to possible man in the middle attacks when ssl verification is turned off.
I've just had the same issue but using sourcetree on windows Same steps for normal GIT on Windows as well. Following the following steps I was able to solve this issue.
- Obtain the server certificate tree This can be done using chrome. Navigate to be server address. Click on the padlock icon and view the certificates. Export all of the certificate chain as base64 encoded files (PEM) format.
- Add the certificates to the trust chain of your GIT trust config file Run "git config --list". find the "http.sslcainfo" configuration this shows where the certificate trust file is located. Copy all the certificates into the trust chain file including the "- -BEGIN- -" and the "- -END- -".
- Make sure you add the entire certificate Chain to the certificates file
This should solve your issue with the self-signed certificates and using GIT.
I tried using the "http.sslcapath" configuration but this did not work. Also if i did not include the whole chain in the certificates file then this would also fail. If anyone has pointers on these please let me know as the above has to be repeated for a new install.
If this is the system GIT then you can use the options in TOOLS -> options GIt tab to use the system GIT and this then solves the issue in sourcetree as well.
In case of github Repositories (or any none-self-signed certs), choosing below while installing Git-on-windows, resolved the issue.
I have had this issue before, and solve it using the following config.
[http "https://your.domain"]
sslCAInfo=/path/to/your/domain/priviate-certificate
Since git 2.3.1, you can put https://your.domain after http to indicate the following certificate is only for it.
- Download certificate from this link: https://github.com/bagder/ca-bundle
- Add it to
C:\Program Files\Git\binandC:\Program Files\Git\mingw64\bin
Then try something like: git clone https://github.com/heroku/node-js-getting-started.git
One thing that messed me up was the format of the path (on my Windows PC). I originally had this:
git config --global http.sslCAInfo C:\certs\cacert.pem
But that failed with the "unable to get local issuer certificate" error.
What finally worked was this:
git config --global http.sslCAInfo "C:\\certs\\cacert.pem"
Use this command before to run composer update/install:
git config --global http.sslverify false
来源:https://stackoverflow.com/questions/23885449/unable-to-resolve-unable-to-get-local-issuer-certificate-using-git-on-windows