14

When fetching with git on Cygwin you get:

Fetching origin
fatal: unable to access 'https://.../...git': SSL certificate problem: self signed certificate in certificate chain
error: Could not fetch origin

The certificate was added to /etc/ssl/certs/ca-bundle.crt and other bundle files, but on the next Cygwin update the problem reappeared.

Community
  • 1
  • 1
Jason Pyeron
  • 2,388
  • 1
  • 22
  • 31

2 Answers2

21

git-remote-https will read the following files for ca certificates:

/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.

The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:

curl -sL http://ca.pdinc.us  > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust

The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:

man update-ca-trust
Jason Pyeron
  • 2,388
  • 1
  • 22
  • 31
  • 1
    What is the `curl -sL` command supposed to do? It is http URL, so clearly not get the certificate chain as would be expected from context. – Jan Hudec Jan 18 '17 at 15:31
  • 1
    In current version, `git-remote-https` reads certificates from `/mingw64/ssl/certs/ca-bundle.crt`, because that is how it is configured in `/c/ProgramData/Git/config`. Neither `/mingw64/bin/update-ca-trust` nor `/usr/bin/update-ca-trust` update that file, so that script is not useful. I haven't found which is yet. – Jan Hudec Jan 20 '17 at 07:16
  • @JanHudec As of today's update, and since 2014 that does not seem to be the case. What git --version (git version 2.8.3) and uname -a (CYGWIN_NT-6.1-WOW black7 2.6.1(0.305/5/3) 2016-12-16 11:50 i686 Cygwin) are you on? – Jason Pyeron Jan 24 '17 at 00:34
  • `git version 2.11.0.windows.3`, `MINGW64_NT-6.1 ntb1005941 2.6.1(0.306/5/3) 2017-01-14 09:41 x86_64 Msys`. Ok; I didn't realise you are actually using cygwin version of git—I always used the native one with cygwin, because I needed native applications to work with it. Note that since msys2 is a fork of cygwin, both have the script. Actually, msys2 has three copies of it, one for msys, one for mingw32 and one for mingw64. And the git install does not use it then anyway. – Jan Hudec Jan 24 '17 at 07:51
  • 3
    that git is not a Cygwin git, if you run `GIT_CURL_VERBOSE=true git clone https://google.com` and look for `CAfile` or `CApath` – Jason Pyeron Feb 02 '17 at 05:31
5

Simpler instructions:

  1. Simply copy the file(s) with your enterprise's trusted certificates (e.g., .crt files) and copy them into the directory /etc/pki/ca-trust/source/anchors/.

  2. Run update-ca-trust extract. This will generate various files to make everything work.

You can add or remove files in the directory and re-run update-ca-trust extract.

NOTE: If your organization is one of the rare ones who use specialized certificates in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), there's a slight change in step 1. Basically, copy the certificates to the directory /etc/pki/ca-trust/source/ instead. There's no harm in copying them to the "usual" location, and moving them later if the "usual" directory doesn't work.

For more details, run man update-ca-trust.

Yuri
  • 4,254
  • 1
  • 29
  • 46
David A. Wheeler
  • 511
  • 6
  • 4