13

I keep getting the following error when attempting to clone a git repository using ssl on windows:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The ssl certificate hierarchy is trusted (the issuer certificate is added to Trusted Root Certificate Authorities) and I can browse to the hosting site (a private instance of Gitorious) without ssl errors. I've tried cloning on Windows 7 and on Windows Server 2008 and it's failed both times.

Anyone got any ideas?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
Jimit
  • 765
  • 2
  • 10
  • 18
  • Possible duplicate of [Invalid SSL certificate when pushing to Git server](https://stackoverflow.com/questions/19413537/invalid-ssl-certificate-when-pushing-to-git-server) – MrTux Mar 04 '18 at 21:43
  • http://www.f15ijp.com/2012/08/git-ssl-certificate-problem-how-to-turn-off-ssl-validation-for-a-repo/ one of the best solution which I found – vikas etagi Mar 22 '20 at 14:16

4 Answers4

19

Git Apparently not take certificates saved in windows, you have to specify what editing the path to the certificate file .gitconfig

gitconfig location:

C:\Program Files (x86)\Git\etc

Add the line (replace with the path to file and yourCertificate.ctr with the name to your certificate):

.
.
.
[help]
    format = html
[http]
    sslVerify = true
    sslCAinfo = C:/Program Files (x86)/Git/bin/curl-ca-bundle.crt
    sslCAinfo = [route]/yourCertificate.crt
[sendemail]
    smtpserver = /bin/msmtp.exe

[diff "astextplain"]
.
.
.

and try again..

Guillermo Zacur
  • 321
  • 2
  • 5
  • 1
    I was having the same problem with Stash installed on my server. I had to save the certificate as rfc, only then did it work. So, on the server, where I have my keystore I ran this: `"%JAVA_HOME%\bin\keytool" -export -keystore .keystore -rfc -alias tomcat -file yourCertificate.crt` – mateuscb Jun 10 '14 at 03:08
  • 3
    Git on Windows no longer uses a .gitconfig file or a curl-ca-bundle.crt in those locations and I'm having trouble finding the right way of doing this now. – Chris Dec 06 '16 at 23:04
  • @Chris C:\Program Files\Git\mingw64\ssl\certs? – Peter Jul 27 '18 at 18:25
1

The location of http.sslcainfo is stored in "C:\ProgramData\Git\config". It is not altered when uninstalling/reinstalling git.

I recently had to change it from 

sslCAInfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

to

sslCAInfo = C:/Users/kristof/AppData/Local/Programs/Git/mingw64/ssl/certs/ca-bundle.crt

Also see issue:
Configure http.sslcainfo in Git for Windows' own system-wide config #531
https://github.com/git-for-windows/git/issues/531

Kristof Neirynck
  • 3,934
  • 1
  • 33
  • 47
0

Make sure to add to your Git global config file:

 http.sslcainfo=/bin/curl-ca-bundle.crt

Your msysgit instance needs to know where to look for the CA certificates in order to validate them.

See more settings in this SO answer or in "Cannot get Http on git to work".

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • If I run git clone from Git Bash it works. Only issue in eclipse. – Jigar Shah Jul 03 '14 at 11:05
  • @JigarShah that could be a question in its own, describing the problem and adding a lot of specific details (what OS, what version of Java, Eclipse, Egit? what version of git?) – VonC Jul 03 '14 at 11:14
  • Sorry comment at wrong place. Win8-64Bit, Eclipse Luna, (No special plugin for git but m2eclipse) JDK8. http://stackoverflow.com/questions/24550742/eclipse-luna-git-checkout-ssl-fails/24550864 – Jigar Shah Jul 03 '14 at 11:20
  • @JigarShah you are using an ssh url: you don't need a proxy for that. – VonC Jul 03 '14 at 11:22
-1

If all else fails, you can set the environment variable GIT_SSL_NO_VERIFY to true. However, it is hopefully possible to resolve the issue in another way. WARNING: This exposes you to SECURITY RISKS, as you can no longer trust that you're talking to the server you think you're talking to.

Aasmund Eldhuset
  • 37,289
  • 4
  • 68
  • 81
  • I did the same. same error. In eclipse > git > Configuration > User settings added sslVerify = false. But it seems its not able to connect on ssl itself. – Jigar Shah Jul 03 '14 at 11:04