Git stopped working over SSL on Windows

Question

We have a new TFS 2017 server set up on-premises. My sysadmin set up https and generated a self-signed certificate. Everything works fine with Visual Studio's built-in git tools. When I try to do anything from the CLI, I get the following error: SSL certificate problem: unable to get local issuer certificate

What I have tried:

Installed the certificate in the Trusted Root Certificate Authorities store on my client machine (it is also installed on the server). To install it, I simply double-clicked the .pfx file provided to me, entered the password, and chose the Trusted Root store.
After some troubleshooting, I exported the local certificate as a Base-64 encoded x.509 (.CER) file, and appended it to ca-bundle.crt
Double-checked my git config to ensure http.sslcainfo is pointed to the correct ca-bundle.crt file.
Used openssl to connect to my server. This gives me two error messages: verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Created by Team Foundation Server, CN = my.company.com verify error:num=21:unable to verify the first certificate verify return:1 Certificate chain 0 s:/OU=Created by Team Foundation Server/CN=my.company.com i:/OU=Created by Team Foundation Server/CN=my.company.com
Tried to use the CLI from other machines to connect over https, with the same results.

Update

Still no luck getting this working, but was curious if the fact that the self-signed certificate is signed with a private key would have anything to do with our issues.

Possible duplicate of [Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate](http://stackoverflow.com/questions/23885449/unable-to-resolve-unable-to-get-local-issuer-certificate-using-git-on-windows) — Barry Pollard, Jan 13 '17 at 21:53
Was finally able to convince my sysadmin to try the suggestion in the linked issue (use makecert to create the certificates) and that solved my problem — Mike Gasparelli, Jan 21 '17 at 15:23

score 14 · Answer 1 · edited Jan 29 '20 at 17:28

14

It seems your issue is not TFS related, but your self-signed certificate cannot be verified. You can check the solution here:

Workaround

Tell git to not perform the validation of the certificate using the global option:

git config --global http.sslVerify false

Resolution

There are several ways this issue has been resolved previously:

A. Ensure the root cert is added to git.exe's certificate store as discussed here.

B. Tell Git where to find the CA bundle by running:

git config --system http.sslCAPath /absolute/path/to/git/certificates

or copying the CA bundle to the /bin directory and adding the following to the gitconfig file:

sslCAinfo = /bin/curl-ca-bundle.crt

C. Reinstalling Git.

D. Ensuring that the complete CA is present, including the root cert.

After solving the SSL issue, you may refer to the following case just in case you have Authentication issue in command line:

Using Git with TFS 2017 - Works in Visual studio but not Command Line

edited Jan 29 '20 at 17:28

Jim G.

15,141
22
103
166

answered Jan 16 '17 at 09:26

Cece Dong - MSFT

29,631
1
24
39

I have a feeling that there is an issue with the certificate itself (which my sysadmin created for me). Going to circle back with him today and will report back with anything I find. – Mike Gasparelli Jan 16 '17 at 16:16
Was able to get this working by creating new CA certificate and signing a new server certificate using makecert – Mike Gasparelli Jan 21 '17 at 15:26
`http.sslVerify` doesn't seem to work on Windows in 2.19.x – Michał Fita Oct 04 '18 at 14:07

score 0 · Accepted Answer · answered Nov 01 '17 at 19:10

In the end, it turns out that it was the certificate that IIS generated that was the problem.

I found the solution on this SO question: Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate

See the accepted answer for using makecert to generate your server certificate

Git stopped working over SSL on Windows

2 Answers2