HiveBrain v1.2.0
Get Started
← Back to all entries
patterngitMinor

Git seems to recognize http.sslcainfo property from .gitconfig but ignores it on execution? SEC_E_UNTRUSTED_ROOT

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
sslcainfosec_e_untrusted_rootbutrecognizeseemsignorespropertyhttpgitgitconfig

Problem

all, I have a working certificates chain (testable with OpenSSL) but somehow I cannot manage to tell Git to load these certificates.

I get the same "untrusted root authority" error (SEC_E_UNTRUSTED_ROOT) independently of whether my git configuration points to an existing or a fake certificate chain file.

For details, please check the attached screenshot.

Setting I use in .gitconfig for fake file:

sslCAInfo = C:/tmp/foobar.crt


or, for real file which works with OpenSSL:

sslCAInfo = C:/tmp/ca-bundle.crt


Console transcript:

C:\tmp>openssl version
OpenSSL 0.9.8h 28 May 2008

C:\tmp>git --version
git version 2.12.2.windows.2

C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/ca-bundle.crt

C:\tmp>dir
24.04.2017 13:45 10.875 ca-bundle.crt

c:\tmp>openssl s_client -state -connect https://mygithost:443 -CAfile .\ca-bundle.crt

Verify return code: 0 (ok)

C:\tmp git clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

C:\tmp> git -c http.sslverify=false clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
Resoliving deltas: 100%, done.

C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/foobar.crt

C:\tmp\xxx\git pull
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Solution

Been hit by this just today after a fresh install so here's how I got over it:

From your logs (emphasis is mine):


fatal: unable to access ... : schannel: next InitializeSecurityContext failed:

git is configured to use schannel (windows native implementation), but schannel use windows certs bundle and not a the cainfo bundle.

To switch to openssl to use a custom bundle file use this:

git config --system http.sslbackend openssl

And now git will honor the CA bundle passed in http.sslcainfo.

Alternatively as my error was a problem of cypher suite you may be interested by the following links:

  • https://support.microsoft.com/en-us/help/3161639



  • in case you have still an old system (Win2k3) https://support.microsoft.com/en-us/help/948963/an-update-is-available-to-add-support-for-the-tls-rsa-with-aes-128-cbc

Context

StackExchange DevOps Q#1038, answer score: 2

Revisions (0)

No revisions yet.