Invalid SSL certificate when pushing to Git server

by

Git for Windows has its own trust store of trusted certificates which is normally located in the file

  • Git for Windows <=1.9: [Git installdir]\bin\curl-ca-bundle.crt (e.g., C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt; configured by the key http.sslCAinfo in [Git installdir]\etc\gitconfig).
  • Git for Windows >= 2.0: [Git installdir]\mingwXX\ssl\certs\ca-bundle.crt where XX stands for 32 or 64 (e.g., C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt; configured by the key http.sslCAinfo in git config, e.g. C:\Program Files\Git\etc or your global/local config).

Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible – depending where this is set it applies for all new https connections).

In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):

  1. Open the URL of the site in Microsoft Edge

  2. Click on the lock symbol in the local bar and choose “Connection is safe” and then click on the certificate symbol.

  3. (Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it

  4. Go to the second tab “Details”

  5. Click on “Save to file”, choose “Base64-encoded X.509 (.CER)” and save it with a unique name (remember that name; a name w/o spaces is recommended).

  6. Now you have several options

    1. Use a separate certificate trust store which only contains your just downloaded cert, by executing git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to only use this certificate as the trust store.
    2. Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute git config --global http.sslCAinfo "[yourfilename]" in a cli shell in order to use this new trust store.
    3. Update the system certificate file, by appending the content of your just saved file to [path-to-git-trust-store-crt-file] (e.g. by type [yourfilename] >> [path-to-git-trust-store-crt-file] in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update

Done. Now, this certificate is in the trust store of Git for Windows.

Recent versions of Git for Windows can use also Windows certificate store which might be more convenient in a corporate environment. This can be configured on installation.

More Related Contents:

  1. Remove saved credentials from TortoiseGit
  2. How can I save username and password in Git?
  3. SSL certificate rejected trying to access GitHub over HTTPS behind firewall
  4. How to resolve “git did not exit cleanly (exit code 128)” error on TortoiseGit? [closed]
  5. Unknown SSL protocol error in connection
  6. TortoiseGit save user authentication / credentials
  7. Does TortoiseGit actually make Git a lot easier to use like TortoiseSVN? [closed]
  8. Can I update a forked project, on git, to the original/master copy?
  9. Adding self-signed SSL certificate without disabling authority-signed ones
  10. How to install/setup TortoiseGit to work with GitHub
  11. Support for password authentication was removed on August 13, 2021
  12. Does TortoiseGit work with PortableGit-x.x.x.x-previewyyyyyy? What are compatible git versions for TortoiseGit?
  13. LF will be replaced by CRLF in git – What is that and is it important? [duplicate]
  14. How do I “un-revert” a reverted Git commit?
  15. Sparse checkout in Git 1.7.0?
  16. Why do I have to “git push –set-upstream origin “?
  17. git push –force-with-lease vs. –force
  18. How to export revision history from mercurial or git to cvs?
  19. git – push current vs. push upstream (tracking)
  20. Can I get git to tell me all the files one user has modified?
  21. What is the format for –date parameter of git commit
  22. BitBucket – download source as ZIP
  23. git pull –rebase lost commits after coworker’s git push –force
  24. Is there a way to tell git to only include certain files instead of ignoring certain files?
  25. Clone works, remote push doesn’t. Remote repository over copssh
  26. fatal: The current branch master has no upstream branch
  27. Is it possible to pull just one file in Git?
  28. Using a Jenkins pipeline to checkout multiple git repos into same job
  29. git ignore all files of a certain type, except those in a specific subfolder
  30. How to delete the last n commits on Github and locally?

Leave a Comment