2

When trying to clone a VSTS project repo to my Mac (via VS Code Terminal) I get the following certificate error

git clone https://abc-masked.visualstudio.com/Test/_git/Test.UI

Cloning into 'Test.UI'...
Configuration::loadGitConfiguration
Program::loadOperationArguments
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Program::EnableTraceLogging
Program::get
   targetUri = https://abc-masked.visualstudio.com/
Program::ComponentFactory::createSecureStore
Getting a persistent token store that must be secure
Getting a persistent credential store that must be secure
Program::createAuthentication
   detecting authority type
BaseVsoAuthentication::getAuthentication
BaseVsoAuthentication::detectAuthority
   detected visualstudio.com, checking AAD vs MSA
Fatal error encountered.  Details:
java.lang.Error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:293)
    at com.microsoft.alm.authentication.BaseVsoAuthentication.getAuthentication(BaseVsoAuthentication.java:324)
    at com.microsoft.alm.gitcredentialmanager.Program.createAuthentication(Program.java:915)
    at com.microsoft.alm.gitcredentialmanager.Program$ComponentFactory.createAuthentication(Program.java:1174)
    at com.microsoft.alm.gitcredentialmanager.Program.initialize(Program.java:883)
    at com.microsoft.alm.gitcredentialmanager.Program.get(Program.java:292)
    at com.microsoft.alm.gitcredentialmanager.Program.access$200(Program.java:63)
    at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:284)
    at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:281)
    at com.microsoft.alm.gitcredentialmanager.Program.innerMain(Program.java:195)
    at com.microsoft.alm.gitcredentialmanager.Program.main(Program.java:123)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)
    at com.microsoft.alm.helpers.HttpClient.head(HttpClient.java:97)
    at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:277)
    ... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
    ... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 31 more
fatal: credential helper '!java -Ddebug=true -Djava.net.useSystemProxies=true -jar /usr/local/Cellar/git-credential-manager/2.0.4/libexec/git-credential-manager-2.0.4.jar' told us to quit

I have tried the following:

  1. Updated the Java version

  2. I downloaded the certificate from my VSTS domain (abc-masked.visualstudio.com) and added it to the Java keystore but that did not help.

    Also, I have git-credential-manager installed.

I am new to git, Can you please point me in the right direction?

Edit: This URL https://abc-masked.visualstudio.com/ when I open in the browser immediately redirects to https://dev.azure.com/abc-masked.So I added both *.dev.azure.com and *.visualstudio.com certs to both Mac keychain and Java Keystore

Naveen Velaga
  • 648
  • 1
  • 11
  • 22
  • Error says that "I cannot find all the necessary certificates and thus cannot trust this site" -> one or more certificates from the trust chain is missing or cannot be loaded. Check for solution: https://stackoverflow.com/questions/9619030/resolving-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatore – Jokkeri Mar 18 '19 at 07:38
  • @Jokkeri: I did check the thread but I am on Mac and I have already added the cert to the -keystore cacerts. Anything else that I need to verify here..? – Naveen Velaga Mar 18 '19 at 07:41
  • It could be that you have only added the actual server cert but you are missing the CA certs from the truststore. It could be that java doesn’t recognize the root certificate authority (CA). Check this answer: https://stackoverflow.com/a/12524960/2996452 – Jokkeri Mar 18 '19 at 07:47
  • I added the CA cert, but still the same error. Added the certs to Mac keychain as well but noting seem to work – Naveen Velaga Mar 20 '19 at 20:04
  • I don't get it, why exactly is it running Java when you run a git command? – Nestor Sokil Mar 24 '19 at 13:32

1 Answers1

0

Virtually, you have to trust the certificate. Get trusted certificate to clone a repo. You can refer my github url, I am doing exactly the same to clone a repo.

https://github.com/debjava/ddlab-gitpusher-idea/blob/master/ddlab.gitpusher.core/src/main/java/com/ddlab/gitpusher/util/HTTPUtil.java

Sambit
  • 7,625
  • 7
  • 34
  • 65
  • You have to do programmatically to trust all. Just go through the github code link which I shared. If possible, share your code so that I can check. – Sambit Mar 25 '19 at 06:57
  • Well there is no code, I am trying to clone git from Mac terminal as mentioned in the question – Naveen Velaga Mar 27 '19 at 07:57