44

I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:

$ git pull
fatal: unable to access 'https://user@code.example.com/git/fizzbuzz.git/': SSL certificate problem: self signed certificate

The github remote works fine.

There are two often-suggested solutions:

git config http.sslVerify false

which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:

git config http.sslCAInfo <downloaded certificate>.pem

which fixes pulling from origin, but break the github remote:

$ git pull github
fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate

How to make pulling from the corporate server work without breaking pulling from github?

Community
  • 1
  • 1
Michael Ivko
  • 1,232
  • 3
  • 13
  • 23

2 Answers2

76

If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).

In your case:

git config --global http."https://code.example.com/".sslVerify false
#
# or, if not on default 443 port:
#
git config --global http."https://code.example.com:<aPort>/".sslVerify false

That would disable SSL verification only for code.example.com, not for other URLs.

Or:

git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem

Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.

It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.

Gustavo Silva
  • 77
  • 1
  • 5
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • How can you use a wildcard like *.mycompany.com to match all subdomains? – bbodenmiller Oct 04 '16 at 06:25
  • @bbodenmiller I don't know if you can: that would be a good question to ask. – VonC Oct 04 '16 at 06:38
  • The first example does not seem to work with global. We have a intranet git server with a self signed certificate for which I tried to set sslVerify to false by using the URL example. This makes sense for us, since we have dozens of projects on that domain and it would be annoying to configure this for every single project in the local config file. But it simply does not seem to work. – EDREP Mar 17 '17 at 13:08
  • 1
    @IroNEDR What version of Git are you using? The setting is to be set on the client side, not the server side. – VonC Mar 17 '17 at 13:09
  • @VonC Wow thanks for the quick reply! I know that this has to be set on the client side. I am trying this on my computer which is running Windows 7 with git version 2.10.2. When I enter: `git config --global --get-urlmatch http https:/my.server.com/`, it returns http.sslverify false. – EDREP Mar 17 '17 at 13:13
  • 1
    @IroNEDR I suppose the issue would persist with Git 2.12? What error message do you see? – VonC Mar 17 '17 at 13:15
  • @VonC I haven't tried updating Git to version 2.12. The setting the configurations works perfectly without returning any error messages. And everything works if I set simply set `[http] sslVerify = false`in the global config. It just doesn't work with the url: `[http "https://my.server.com/"] sslVerify = false` in the global config. It works for the individual local repo configs though. The error I receive is this one: `SSL certificate problem: self signed certificate ` – EDREP Mar 17 '17 at 13:23
  • @VonC I fixed the issue. The problem was my stupidity. Since we switched from http to https the remote URL in the my repo config file was still set to the "http" version. All i had to do was change the URL to "https". – EDREP Mar 17 '17 at 14:46
  • @IroNEDR Good catch! Using https will help indeed ;) – VonC Mar 17 '17 at 15:01
6

As of v2.5.0 of Git for Windows, the installed certificate file has moved to C:\Program Files (x86)\Git\mingw32\ssl\certs\ca-bundle.crt. You have to add your certs into this file.

Adrian W
  • 4,563
  • 11
  • 38
  • 52
super_kamil
  • 373
  • 3
  • 7