110

Currently I have the following entry in my .gitconfig in my user directory.

...
[http]
    sslCAInfo=C:\\Users\\julian.lettner\\.ssh\\git-test.pem
...

This sets the certificate to use when interacting with the git server (required by my company's git server).

But now I cannot clone other repositories (for example a public repository on GitHub), because the client always uses the configured certificate which gets rejected by other servers.

How can I circumvent this certification issue? Can I configure Git to use the Windows Certificate Store to authenticate?

Stevoisiak
  • 23,794
  • 27
  • 122
  • 225
Julian Lettner
  • 3,309
  • 7
  • 32
  • 49
  • Related: [How can I make git accept a self signed certificate?](https://stackoverflow.com/q/11621768/3357935) – Stevoisiak Jan 11 '18 at 19:08
  • Related: https://stackoverflow.com/questions/17105955/ssl-certificate-issue-while-creating-git-clone-with-tortoisegit – Jay M Jan 19 '21 at 14:34
  • 1
    Your certificate doesn't get rejected by other servers. The issue is that the client (`git`) cannot verify the server's certificate. – Nicolas Lykke Iversen Mar 04 '21 at 11:35
  • Related question to this on [Azure DevOps](https://stackoverflow.com/questions/67976050/ssl-certificate-problem-unable-to-get-local-issuer-certificate-azure-devops). – Rajesh Swarnkar Feb 01 '22 at 10:51

2 Answers2

332

Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer. This means that it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism.

From the Git for Windows 2.14 release notes:

It is now possible to switch between Secure Channel and OpenSSL for Git's HTTPS transport by setting the http.sslBackend config variable to "openssl" or "schannel"; This is now also the method used by the installer (rather than copying libcurl-4.dll files around).

You can choose the new SChannel mechanism during the installation of Git for Windows 2.14. You can also update an existing installation to use SChannel by running:

git config --global http.sslBackend schannel

Once you have configured this, Git will use the Windows certificate store and should not require (and, in fact, should ignore) the http.sslCAInfo configuration setting.

Pero P.
  • 25,813
  • 9
  • 61
  • 85
Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
  • 20
    Seems like this should be the right way. However, I got this error: fatal: unable to access '...': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. But this may be a problem with the certificate itself. – Bluehorn Mar 11 '18 at 19:54
  • 6
    The latest version of git 2.17.1.2 comes bundled with libcurl and this will still read http.sslCAInfo and if it's contains errors it will still throw an ssl verification issue. please see https://developercommunity.visualstudio.com/content/problem/267483/git-stops-trusting-private-certificates-via-schann-1.html for more detail. – JamesD Jun 19 '18 at 13:12
  • https://github.com/git-for-windows/git/releases/tag/v2.14.4.windows.2 and https://github.com/git-for-windows/git/commit/c5ad43e5eda4db8c734cdc6e3cf6c53353f69557 can be of interest. – VonC Jun 21 '18 at 19:55
  • 3
    Worked. had to run this with administrator privileges – rwms Jul 18 '18 at 07:41
  • @Bluehorn Open the certificate and find "CRL Distribution Point". See whether you can open the URL in browser. Git wants to access that URL to verify revocation status. – Franklin Yu Oct 24 '18 at 20:49
  • It's interesting that the new feature isn't mentioned in [official documentation](https://git-scm.com/docs/git-config/2.14.4)... – Franklin Yu Oct 25 '18 at 17:52
  • 3
    @FranklinYu Git for Windows is a fork of git - the documentation you're pointing to is not the official documentation for Git for WIndows; you're pointing to the git documentation itself. You might find this mentioned in the official documentation for Git for Windows at https://gitforwindows.org/ (but it's possible that it is indeed missing from the official documentation). I regret that this is confusing. – Edward Thomson Oct 25 '18 at 18:28
  • @Bluehorn, there is another SO answer for that: https://stackoverflow.com/a/53090169/516433... Specifically says to `git config --global http.schannelCheckRevoke false` and that its not particularly any less secure (with reasoning for that statement) – Lucas Jan 04 '19 at 20:13
  • @Lucas That may well be but the CRL Distribution Point is reachable and works fine everywhere else (as long as I am on the VPN). But I will try this the next time I have to deal with Windows. – Bluehorn Jan 17 '19 at 11:46
  • 2
    Does anybody know if there's a way to extend this configuration to the curl that comes with git for windows? I'd like it to extend trust based on the system CA store. – rfay Jun 03 '19 at 01:43
  • That did it for me... even though i got a message that my remote doesn't accept password authentication but only SSH... – Anael Dec 12 '19 at 05:31
  • Any way to do this during silent install? – Aurimas Stands with Ukraine Dec 11 '20 at 12:17
  • 1
    Worked like a charm for me w/o any issues except that I had to remove all other `http.ssl*` options pertaining to certificates. – ZzZombo Jan 11 '21 at 08:17
  • worked for me. But I had to run this command in Visual Studio command prompt for Visual Studio projects. – Naresh Nagpal Nov 22 '21 at 12:00
  • Anybody could you please resolve this issue on Azure Devops build agent as asked in [this question](https://stackoverflow.com/questions/67976050/ssl-certificate-problem-unable-to-get-local-issuer-certificate-azure-devops)? – Rajesh Swarnkar Feb 01 '22 at 10:50
  • 1
    @Lucas Note that the linked answer suggesting to set `http.schannelCheckRevoke=false` assumes this to be no less secure because the corporate proxy is assumed to check the certificate. But in my setting *there is no proxy*, so this actually disabled certificate revocation. And our CRL distribution point is of course indeed reachable from the system in question. My point:`http.schannelCheckRevoke=false` is less secure *unless using a proxy*. – Bluehorn Mar 17 '22 at 11:08
  • Worked for me once I also removed http.schannelcheckrevoke=true from my git config --global settings – Ed HP Aug 31 '23 at 14:47
10

Use:

git config  --local ...

To specify per-repository settings. Local settings are stored in the .git directory.

An overview of the three locations where git can store settings:

  • --local: Repository specific, <repo_dir>/.git/config
  • --global: User-specific, ~/.gitconfig
  • --system: System default, /etc/gitconfig

More specific ones override more general settings, i.e. local overrides both global and system.

Andomar
  • 232,371
  • 49
  • 380
  • 404
  • 7
    Is there really no way to have Git for Windows accept the trusted root CAs already configured in the operating system? – Fabian Schmied May 21 '13 at 13:32
  • 4
    I haven't found a way to make git use the root CA. You can turn off certificate valiadation with the `git config --global http.sslVerify false` setting, or the `GIT_SSL_NO_VERIFY=true` environment variable – Andomar May 21 '13 at 13:37
  • @Andomar 10 years later, same problem still persist, on any WIndows version, but not on every instance. The only common ground between systems where it is happening is that user doesn't have machine admin rights but it's unclear if that's the actual reason. – Swift - Friday Pie May 11 '23 at 09:30