SSL certificate problem: self signed certificate in certificate chain

Question

I have upgraded my Inteliij IDEA 2019.2 recently and I am getting the following error if I try to pull from using my IDE:

Git Pull Failed: unable to access 'https://github.xxx.com/app-Hello-USD/DGS.git/': SSL certificate problem: self signed certificate in certificate chain.

Could someone help me what option I have to enable?

Does this answer your question? [How can I make git accept a self signed certificate?](https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate) — Gino Mempin, Apr 27 '20 at 00:49

score 87 · Answer 1 · answered Aug 02 '19 at 21:42

87

git config --global http.sslVerify false

answered Aug 02 '19 at 21:42

CrazyCoder

389,263
172
990
904

Could you please explain why this is happening? – Meredith Hesketh Fortescue May 05 '21 at 10:22
1

@Meredith Usually it's a content filter/proxy/firewall that filters the SSL traffic in your network and uses the self signed certificate in order to decrypt all the secure traffic. Contact your network administrator / IT Helpdesk / Security team for details. Another possible case is when the git repository is configured with the self signed certificate. Contact the git server administrator for more details. – CrazyCoder May 05 '21 at 17:01
15

not a good solution, better solution would be to add the self-signed certificate to the trusted certificates – Erdinc Ay Sep 01 '21 at 08:54
@ErdincAy can you please explain how to do it? – Ahinoam Mazuz Oct 06 '21 at 08:32
1

@AhinoamMazuz look up the JDK - Folder of your system / your environment, that you use (for Maven or your IDE), you'll find an JRE folder in there, go down to libs and then to security, there you'll find the cacerts - Certificate Store file .... for example: C:/jdk1.8.0_202/jre/lib/security/cacerts ... now use KeyStore Explorer http://keystore-explorer.org/ and add the certificate that is missing (the Java Certificate Store Default Passwort is: changeit) – Erdinc Ay Oct 07 '21 at 13:35
1

Don't forget to enable SSL verification after you've cloned the repository, otherwise Git will refuse to use SSL for any repository. – bezbos. Feb 23 '22 at 11:15
6

I _really_ wish "reduce security by breaking SSL certificate trust" wasn't the top answer to this question. – éclairevoyant Nov 01 '22 at 17:48

score 39 · Answer 2 · edited Apr 24 '23 at 11:06

39

We can use Windows certificate storage mechanism.

Please try this

git config --global http.sslbackend schannel

edited Apr 24 '23 at 11:06

Gino Mempin

25,369
29
96
135

answered Sep 15 '22 at 14:25

Kyu Lee

391
3
4

5

This is probably the best answer. That way we can import certs using Windows's native tools and not break basic functionality. – éclairevoyant Nov 01 '22 at 17:49
6

I'm commenting to bring more attention to this answer. For Windows, this is the best answer. Especially if you are using a company owned and managed computer. When the company pushes updates to the CA it won't break your environment if you use schannel. Folks who work at a company where they unwrap and rewrap ssl traffic know what I mean. – FelixD Dec 02 '22 at 07:23
1

The best answer for windows. Thanks. – Xavi Torrens Feb 01 '23 at 11:30
This should be the accepted answer. Disabline SSL verification is a workaround suitable for diagnostics, but in a well configured Windows dev environment, Git really ought to be using the Windows cert management functionality. – Alex Apr 24 '23 at 12:56

score 26 · Answer 3 · edited Apr 24 '23 at 11:02

This usually happens when your Git repository server is hosted inside a private network and uses a locally generated (self signed) TLS certificate. Because this certificate is not from a "trusted" source, most software will complain that the connection is not secure.

So you need to disable SSL verification on Git to clone the repository and immediately enable it again, otherwise Git will not verify certificate signatures for any other repository.

Disable SSL verification on Git globally:

git config --global http.sslVerify false

Clone your repository:
```
git clone <your repo>
```

Enable SSL verification on Git globally:

git config --global http.sslVerify true

Change directory into your repo:
```
cd <your repo>
```
Disable SSL verification only on your repository:
```
git config --local http.sslVerify false
```

In the first step, when turning off SSL verification, if you're getting this error:

warning: http.sslverify has multiple values
error: cannot overwrite multiple values with a single value
       Use a regexp, --add or --replace-all to change http.sslVerify.

Open your .gitconfig file and remove duplicate http.sslverify lines.

score 8 · Answer 4 · answered Mar 16 '22 at 16:29

8

If you want to add the self-signed cert, export the cert you want as a Base-64 encoded .CER file. Locate your Git cert.pem file (for me it is in C:\Program Files\Git\usr\ssl\cert.pem). Open up your .CER file in a text-editor, and copy/paste the contents at the end of your cert.pem file. Save the file. Then open up your console and type

 git config --global http.sslCAInfo "C:\Program Files\Git\usr\ssl\cert.pem"

answered Mar 16 '22 at 16:29

codeMonkey

4,134
2
31
50

1

Even pointing to this the same error occurs. Any other work around ? – rinilnath Mar 25 '22 at 04:01

score 2 · Answer 5 · answered Jun 30 '22 at 11:38

2

If you are connected to a VPN, please try without the VPN. I go this error because of this issue.

answered Jun 30 '22 at 11:38

suranga upul

211
3
6

Vladimir · Answer 6 · 2022-12-22T05:49:49.557

1

For github.com you may change protocol from HTTPS to SSH:

open .git/config
fix url in [remote "origin"] block

old: url = https://github.com/myname/proj1

new: url = git@github.com:myname/proj1.git

edited Dec 22 '22 at 05:49

answered Dec 22 '22 at 05:03

Vladimir

6,162
2
32
36

score -1 · Answer 7 · edited Apr 24 '23 at 11:08

-1

This can be fixed by disabling SSL checking in the git config for the affected repositories. This should not require elevated privileges to complete.

git config http.sslVerify "false"

This command does not require use of the --global argument.

edited Apr 24 '23 at 11:08

Gino Mempin

25,369
29
96
135

answered May 11 '22 at 13:48

brethvoice

350
1
4
14

The trouble ticket I submitted to IT stated that "The git bash terminal was unable to access the URL of the repo which I could view from a browser in Bitbucket. The reason was an SSL certificate problem: 'self-signed certificate in certificate chain.'" – brethvoice May 11 '22 at 13:53

score -1 · Answer 8 · answered Aug 18 '23 at 16:02

-1

It seemed like GIT was not configured by default to use the certificates in my Windows Trust Store. It worked for me by doing the following:

Close your Intellij
Open GIT Bash from the start menu and and run this command: git config --global http.sslbackend schannel
Reopen Intellij and try

answered Aug 18 '23 at 16:02

Anoushka Ajwani

1

Kyu Lee already suggested this nearly a year ago. Please don't repeat answers. – ChrisGPT was on strike Aug 20 '23 at 13:25

SSL certificate problem: self signed certificate in certificate chain

8 Answers8