32

I want to clone the git repository with the help of TortoiseGit, but I am getting error :

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://git.assembla.com/pplconnect-PL.webserver.git/info/refs?service=git-upload-pack fatal: HTTP request failed

git did not exit cleanly (exit code 128).

Any help or guidance will be well appreciated.

Screenshot

abhishek kumar gupta
  • 2,189
  • 6
  • 35
  • 56
  • possible duplicate of [SSL certificate rejected trying to access GitHub over HTTPS behind firewall](http://stackoverflow.com/questions/3777075/ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall) –  Apr 18 '14 at 19:20

7 Answers7

23

You can choose to ignore the server certificate (at your own risk!).

Configure your TortoiseGit in the following way. First of all open the TortoiseGit settings.

Then:

  1. Select the Git configuration
  2. Open the global git configuration pressing "Edit systemwide gitconfig"
  3. In the [http] section write:

[http]
sslVerify = false

Raghavendra
  • 3,530
  • 1
  • 17
  • 18
user294580
  • 411
  • 4
  • 4
  • 10
    **Disabling SSL verification is EXTREMELY DANGEROUS.** The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS. Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it. Not recommended unless you're sure that Man in the Middle attacks are not a concern for you. – MrTux Apr 24 '18 at 08:10
  • 2
    Do not disable ssl server certificate validation globally. The best way is to add the right certificate. Otherwise disable for a particular repository. – JVS Nov 26 '18 at 08:22
16

The correct solution is simple: Tell Git to use the Windows certificate store. This is supported by git version >=2.14 (not sure what Tortoise version that relates to)

To configure via the command line:

  1. Find the folder where git (for Tortoise git is installed) TortoiseGit -> Settings -> General Git.exe path = (e.g.) C:\Program Files\git\bin
  2. In Explorer browse to this folder then shift right click "Command Prompt here"
  3. Enter the following git configuration command 
    git config --global http.sslBackend schannel

Or, from the TortoiseGit interface:

  1. On the Git panel click the "Edit global .gitconfig" button.
  2. If there isn't a [http] section in the file, add that line.
  3. Update or add the line sslBackend = schannel to the [http] section, so it should look like: 
    [http]
  sslBackend = schannel

Install your self signed certificate chains in the Windows Certificate Store as normal.

smsearcy
  • 513
  • 5
  • 8
Jay M
  • 3,736
  • 1
  • 24
  • 33
  • This works a treat. Thanks ... – takrl Jan 17 '22 at 09:33
  • 1
    Instead of going through the command-line, from the TortoiseGit interface, on the "Git" panel there is a button to "Edit global .gitconfig" (or systemwide). Either edit the systemwide file and update the backend to "sslBackend = schannel", or edit the global file and add that line in a "[http]" section on the global one. – smsearcy Apr 28 '22 at 18:41
15

Configure git to use the right root certificate. Get the root CA certificate of the server and add it to the git config. Run this in command prompt (don't forget to cd into your git repo)

git config http.sslCAinfo ~/certs/cacert.pem

You can choose to ignore the server certificate (at your own risk!).

git config http.sslVerify false

Security Warning: This is susceptible to Man in the Middle attacks. Be sure that this security concern is not an issue for you before you disable SSL certification verification.

JVS
  • 521
  • 6
  • 18
  • 6
    ***Disabling SSL verification is EXTREMELY DANGEROUS.*** The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS. Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it. Not recommended unless you're sure that Man in the Middle attacks are not a concern for you. –  Apr 18 '14 at 19:19
  • 5
    This doesn't disable SSL per se. It ignores verifying the server certificate. Client still has to present certificate and this will be verified by the server. All communication will use SSL protocol. It is equivalent to -k in curl. But, I agree MITM attack is still possible. So this should never be used in public networks. – JVS Apr 20 '14 at 05:25
  • 1
    I recommend using the first option and just maintain the cacert.pem file. In my case, my employer had their own CA, which I added to the cacert.pem file. – Gordolio Feb 21 '18 at 20:47
12

All the top answers are really dangerous! Do not disable SSL verification globally!

Instead, use the excellent answer in another thread and very selectively allow a self-signed certificate for a specific site.

Edit the global .gitconfig file to include

[http "https://example.com"]
    sslCAInfo = C:\\Users\\<username>\\Documents\\ssl\\example.com.crt

The CRT file itself can be obtained in multiple ways. You can just save it using Firefox, store it somewhere safe and point your config to it.

FRob
  • 3,883
  • 2
  • 27
  • 40
4

Even though disabling ssl verifyication is considered dangerous for many reasons, sometimes this is feasible. Others have pointed out to use at least a "local" disabling, but not how to do this. For the record, here is how you can define in the global .gitconfig file (in Windows located under c:\Users\username) for a single repository to use openssl and disable the check. Just add the following (adjusted) lines:

[http "https://your.repo.com"]
 sslBackend = openssl
 sslVerify = false

For me this worked perfect. As noted and linked in the answer from FRob, here is a more nuanced option that uses the pem certificate that you can often download yourself, e.g. when "clicking" on the lock symbol in your browser before the url and searching for "additional information" (firefox, others should be similar).

Frederik
  • 355
  • 2
  • 8
2

Please check that your Git for Windows installation is correct.

As you can see in the screenshot git.exe cannot find the template directory - so I suppose git.exe also cannot find the shipped CA certificates.

If that doesn't help, see a description here for including a certificate into the Git trust store.

Community
  • 1
  • 1
MrTux
  • 32,350
  • 30
  • 109
  • 146
-3

Open Git CMD and run below command.

git config --global http.sslVerify false
ethemsulan
  • 2,241
  • 27
  • 19
  • 6
    **Disabling SSL verification is EXTREMELY DANGEROUS.** The whole point of SSL certificate verification is to protect your code from being tampered with when you're transmitting it over HTTPS. Disabling it means that malicious people can insert vulnerabilities and other nasty things into your code as you push and fetch it. Not recommended unless you're sure that Man in the Middle attacks are not a concern for you. – MrTux Apr 24 '18 at 08:09