3

I'm new to Linux, just installed Lubuntu and faced the problem - when i'm trying to clone my remote work repo from my company's git:

$ sudo git clone https://path/to/repo.git

I keep on receiving error:

Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none

I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.

vetal22331122
  • 65
  • 1
  • 1
  • 8
  • Does this answer your question? [server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none](https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c) – Pratap Alok Raj May 22 '21 at 07:24
  • 1
    Side note: it's almost always bad to run `git clone` under `sudo`. This makes the entire Git repository owned by the super-user. At most, some files *extracted from* the repository should be owned by the super-user; at best (but not always possible), none of the files should ever be owned by the super-user. – torek May 22 '21 at 23:48

2 Answers2

12

This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.

Update list of public CA

The first thing I would recommend is to simply update the list of root CA known to the system as show below.

# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates

This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.

Fetch certificates, direct connection

The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:

openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > git-mycompany-com.pem

This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.

Fetch certificates, web proxy

If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.

# install socat
sudo apt-get install socat -y

# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128

Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.

openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem

Add certificate to local certificate list

Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate. The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.

** Adding globally **

cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt

** Adding for single user **

git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem

Which silently adds the following lines to ~/.gitconfig

[http "https://git.mycompany.com/"]
        sslCAInfo = /home/user/git-mycompany-com.pem

Avoid workarounds

Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.

git config --global http.sslverify false

export GIT_SSL_NO_VERIFY=true
Pratap Alok Raj
  • 1,098
  • 10
  • 19
  • 1
    No offence, but unless your git server is hosted locally and you **know** it's secure that's a terrible idea (and recommendation). – tink Jun 05 '21 at 09:16
  • Thanks, @tink, for the suggestion. I completely agree with you. I have updated the answer accordingly. Please upvote if you find it useful :) – Pratap Alok Raj Jun 05 '21 at 10:39
  • Excellent answer! – Girl Spider Oct 24 '21 at 18:21
  • Thank you, thank you. This worked!!! Other examples I saw online didn't. Basically all the steps you outline were, key. The other examples missed certain steps and the explanation to it too. Thanks again. – Garth Humphreys Mar 13 '23 at 15:14
1

I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:

#!/usr/bin/bash

# I exported the Zscaler certifcate out of Microsoft Cert Manager.  It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.

# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt

# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates

# Inform Ubuntu of new cert.
sudo update-ca-certificates
DataBach
  • 1,330
  • 2
  • 16
  • 31