Visual Studio 2017 Enterprise + TFS 2018 + Git Clone = Unable to get local issuer certificate
Here what I did to fix my issue:
In Git Settings, Global Settings in Team Explorer, there is an option to choose between OpenSSL and Secure Channel.
Starting with Visual Studio 2017 (version 15.7 preview 3) use of SChannel in Git Global settings fixed my issue.
After two day with system admin support, I got the solution. I post it here in case it may help somebody else. Visual Studio 2017 looks not accepting a self signed certificate, as error states ("local issuer blah blah"). It has to be a local CA to approve it. Steps were:
Server:
- Install Company/Trusted CA on TFS machine as Trusted Authority root
- Preparing certificate for TFS and make it derive from company/trusted CA.
- Install it as Trusted Authority root in TFS machine
- Configure TFS-IIS binding in order to make TFS certificate to be compulsory for HTTPS connections
Client:
- Install CA certificate as Trusted Authority root on client machine (tried with Windows 7 and 10)
- Install TFS certificate as Trusted Authority root on client machine (you should see the lock in browser and connecting through it has to be recognized as secure)
- Install Git client (I have Git-2.15.1.2-64-bit).
- Run a shell (cmd, Powershell, Git-bash as you prefer) and digit this command: git config --global http.sslCAInfo C:/Users//ca-bundle.crt (because Git and Visual Studio have multiple folders where they store certificates, you are basically creating a global path for both of them)
- Now you should be able to see a new .gitconfig file with this content: [http] sslCAInfo = C:/Users//ca-bundle.crt
- if you digit command "git config --list --show-origin" you should see the new path/config added
- Copy ca-bundle.crt from C:\Program Files\Git\mingw64\ssl\certs path to C:/Users// path
- Export CA certificate as Base 64 X.509 (.CER) to up to you path (you can view certificates from IE Internet Options/Content/Certificates).
- Open it with editor like Notepad++ or whatever the CA certificate that you just exported. Content should be:
-----BEGIN CERTIFICATE-----publickey-----END CERTIFICATE-----
- Copy this content
- Open the C:/Users//ca-bundle.crt and paste appending that content
- Export TFS certificate as Base 64 X.509 (.CER) to up to you path.
- Open it with the editor you prefer and copy the content
- Open the C:/Users//ca-bundle.crt and paste appending that content
- Save the file
Now you should be able to clone repository.
So basically the point is that certificate has to have the all chain authority in it and there has to be one.
You can do a quick workaround by:
git config --global http.sslVerify false
Ref: https://confluence.atlassian.com/bitbucketserverkb/ssl-certificate-problem-unable-to-get-local-issuer-certificate-816521128.html