patterngitMinor
Git seems to recognize http.sslcainfo property from .gitconfig but ignores it on execution? SEC_E_UNTRUSTED_ROOT
Viewed 0 times
sslcainfosec_e_untrusted_rootbutrecognizeseemsignorespropertyhttpgitgitconfig
Problem
all, I have a working certificates chain (testable with OpenSSL) but somehow I cannot manage to tell Git to load these certificates.
I get the same "untrusted root authority" error (SEC_E_UNTRUSTED_ROOT) independently of whether my git configuration points to an existing or a fake certificate chain file.
For details, please check the attached screenshot.
Setting I use in
or, for real file which works with OpenSSL:
Console transcript:
I get the same "untrusted root authority" error (SEC_E_UNTRUSTED_ROOT) independently of whether my git configuration points to an existing or a fake certificate chain file.
For details, please check the attached screenshot.
Setting I use in
.gitconfig for fake file:sslCAInfo = C:/tmp/foobar.crtor, for real file which works with OpenSSL:
sslCAInfo = C:/tmp/ca-bundle.crtConsole transcript:
C:\tmp>openssl version
OpenSSL 0.9.8h 28 May 2008
C:\tmp>git --version
git version 2.12.2.windows.2
C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/ca-bundle.crt
C:\tmp>dir
24.04.2017 13:45 10.875 ca-bundle.crt
c:\tmp>openssl s_client -state -connect https://mygithost:443 -CAfile .\ca-bundle.crt
Verify return code: 0 (ok)
C:\tmp git clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
C:\tmp> git -c http.sslverify=false clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
Resoliving deltas: 100%, done.
C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/foobar.crt
C:\tmp\xxx\git pull
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.Solution
Been hit by this just today after a fresh install so here's how I got over it:
From your logs (emphasis is mine):
fatal: unable to access ... : schannel: next InitializeSecurityContext failed:
git is configured to use schannel (windows native implementation), but schannel use windows certs bundle and not a the cainfo bundle.
To switch to openssl to use a custom bundle file use this:
And now git will honor the CA bundle passed in http.sslcainfo.
Alternatively as my error was a problem of cypher suite you may be interested by the following links:
From your logs (emphasis is mine):
fatal: unable to access ... : schannel: next InitializeSecurityContext failed:
git is configured to use schannel (windows native implementation), but schannel use windows certs bundle and not a the cainfo bundle.
To switch to openssl to use a custom bundle file use this:
git config --system http.sslbackend opensslAnd now git will honor the CA bundle passed in http.sslcainfo.
Alternatively as my error was a problem of cypher suite you may be interested by the following links:
- https://support.microsoft.com/en-us/help/3161639
- in case you have still an old system (Win2k3) https://support.microsoft.com/en-us/help/948963/an-update-is-available-to-add-support-for-the-tls-rsa-with-aes-128-cbc
Context
StackExchange DevOps Q#1038, answer score: 2
Revisions (0)
No revisions yet.