SSL certificate rejected trying to access GitHub over HTTPS behind firewall
Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.
One way is to disable the SSL CERT verification:
git config --global http.sslVerify false
This will prevent CURL to verity the HTTPS certification.
For one repository only:
git config http.sslVerify false
Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.
There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.
We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.
The commandline is as follows :
$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>
The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon
e.g:
abc:very_secret
Installation for using "normal" ssh protocol for git communication
By adding this to the ~/.ssh/config this trick can be used for normal ssh connections.
Host github.com
HostName ssh.github.com
Port 443
User git
ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth
now you can test it works by ssh-ing to gitproxy
pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
pti@pti-laptop:~$
(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).
A slight variant on this method is the case when you need to access a repository with another key, e.g. to separate your private account from your professional account.
#
# account dedicated for the ACME private github account
#
Host acme.github.com
User git
HostName ssh.github.com
Port 443
ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
IdentityFile ~/.ssh/id_dsa_acme
enjoy!
We've been using this for years now on both Linux, Macs and Windows.
If you want you can read more about it in this blog post
The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.
Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)
There are two solutions:
- Actually install root certificates. Curl guys extracted for you certificates from Mozilla.
cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:
<!-- language: lang-bash -->
$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash
Important: In order to use c_rehash you have to install openssl-perl too.
Ignore SSL certificate verification.
WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:
mkdir ~/certs
curl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem
Now update .gitconfig to use this for peer verification:
[http]
sslCAinfo = /home/radium/certs/cacert.pem
Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.
To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.
Edited to change from http to https.