I have upgraded my Inteliij IDEA 2019.2 recently and I am getting the following error if I try to pull from using my IDE:
Git Pull Failed: unable to access ‘https://github.xxx.com/app-Hello-USD/DGS.git/’: SSL certificate problem: self signed certificate in certificate chain.
Could someone help me what option I have to enable?
Gino Mempin
24.8k28 gold badges92 silver badges130 bronze badges
asked Aug 2, 2019 at 13:35
1
git config --global http.sslVerify false
answered Aug 2, 2019 at 21:42
CrazyCoderCrazyCoder
387k170 gold badges983 silver badges897 bronze badges
7
We can use Windows certificate storage mechanism.
Please try this
git config --global http.sslbackend schannel
Gino Mempin
24.8k28 gold badges92 silver badges130 bronze badges
answered Sep 15, 2022 at 14:25
Kyu LeeKyu Lee
2713 silver badges4 bronze badges
4
This usually happens when your Git repository server is hosted inside a private network and uses a locally generated (self signed) TLS certificate. Because this certificate is not from a «trusted» source, most software will complain that the connection is not secure.
So you need to disable SSL verification on Git to clone the repository and immediately enable it again, otherwise Git will not verify certificate signatures for any other repository.
- Disable SSL verification on Git globally:
git config --global http.sslVerify false - Clone your repository:
git clone <your repo> - Enable SSL verification on Git globally:
git config --global http.sslVerify true - Change directory into your repo:
cd <your repo> - Disable SSL verification only on your repository:
git config --local http.sslVerify false
In the first step, when turning off SSL verification, if you’re getting this error:
warning: http.sslverify has multiple values
error: cannot overwrite multiple values with a single value
Use a regexp, --add or --replace-all to change http.sslVerify.
Open your .gitconfig file and remove duplicate http.sslverify lines.
Gino Mempin
24.8k28 gold badges92 silver badges130 bronze badges
answered Feb 23, 2022 at 11:29
bezbos.bezbos.
1,5112 gold badges17 silver badges33 bronze badges
If you want to add the self-signed cert, export the cert you want as a Base-64 encoded .CER file. Locate your Git cert.pem file (for me it is in C:Program FilesGitusrsslcert.pem). Open up your .CER file in a text-editor, and copy/paste the contents at the end of your cert.pem file. Save the file. Then open up your console and type
git config --global http.sslCAInfo "C:Program FilesGitusrsslcert.pem"
answered Mar 16, 2022 at 16:29
codeMonkeycodeMonkey
4,0542 gold badges31 silver badges49 bronze badges
1
If you are connected to a VPN, please try without the VPN. I go this error because of this issue.
answered Jun 30, 2022 at 11:38
For github.com you may change protocol from HTTPS to SSH:
-
open .git/config
-
fix url in [remote «origin»] block
old: url = https://github.com/myname/proj1
new: url = git@github.com:myname/proj1.git
answered Dec 22, 2022 at 5:03
VladimirVladimir
6,0152 gold badges31 silver badges35 bronze badges
This can be fixed by disabling SSL checking in the git config for the affected repositories. This should not require elevated privileges to complete.
git config http.sslVerify "false"
This command does not require use of the --global argument.
Gino Mempin
24.8k28 gold badges92 silver badges130 bronze badges
answered May 11, 2022 at 13:48
brethvoicebrethvoice
3521 gold badge4 silver badges14 bronze badges
1
openssl s_client -connect www.github.com:443
CONNECTED(000001E4)
depth=1 O = AO Kaspersky Lab, CN = Kaspersky Anti-Virus Personal Root Certificate
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
1 s:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
….
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2418 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A1BCEE841D4DBF172402BAF63BC9A80D560ED0FBC8F66B89E692206D3613FD7E
Session-ID-ctx:
Master-Key: ************************************************************************
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1527649383
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed`
Platform Notice: Cloud Only — This article only applies to Atlassian products on the cloud platform.
Summary
While performing any GIT operations, the user receives the below error message:
SSL certificate problem: self-signed certificate in certificate chainCause
The error message «self-signed certificate in certificate chain» usually indicates that the SSL certificate provided by the Git server you are trying to connect to is not trusted by your Git client. This can occur if the certificate is self-signed, or if it is signed by an untrusted certificate authority.
Solution
-
Configure Git to trust the self-signed certificate globally: You can configure Git to trust the self-signed certificate globally by adding an ‘http.sslCAInfo’ setting to your Git configuration file. Here’s an example of how to configure Git to trust a self-signed certificate:
$ git config --global http.sslCAInfo /path/to/ca.pem -
If you are using the Windows system, you may use the configuration below which sets the Secure Channel (schannel) library as the SSL backend for Git’s HTTP communication. This setting is recommended on Windows systems, as the schannel library is a part of the Windows operating system and is well-integrated with its security features. Once you have configured this, Git will use the Windows certificate store and should not require the http.sslCAInfo configuration setting. The git config —global http.sslBackend channel setting does not bypass SSL validation. It only sets the SSL backend used by Git for its HTTP communication. The schannel library, like other SSL backends, is designed to perform SSL validation by default, which includes verifying the authenticity of the SSL certificate presented by the remote server. The schannel library is considered to be a secure SSL backend, and it supports strong encryption algorithms and certificate validation.
git config --global http.sslBackend schannel
Last modified on Apr 3, 2023
Related content
- No related content found
Behind a firewall, using chrome, I am able to access a github repository like so:
https://github.com/Squirrel/Squirrel.Windows
Chrome uses our certificate for this access. If I try to access the same url using GitExtensions, I get this error:
SSL certificate problem: self signed certificate in certificate chain
Can I cause GitExtensions to use our certificate to allow access?
EDIT: more info:
On my machine, I don’t see mysysGit, but I do see mingw/curl, so I assume Git is using these. These apparently do not use Windows trust certificates when building the certificate chain. The error that I get, SSL certificate problem: self signed certificate in certificate chain, indicates that the root certificate used by Git/Github is not present in the built-in certificate authority (CA) root bundle. As @Akber Choudhry has pointed out, the CA certificate that is the root of the chain of the certs served by Github SSL server is DigiCert High Assurance EV Root CA and I do see that CA in C:Program Files (x86)Gitbincurl-ca-bundle.crt.
To verify that the problem is with Git, not GitExtensions, I did this on the command line:
>>git clone https://github.com/Squirrel/Squirrel.Windows.git
And received the same SSL certificate problem error.
It gives the appearance that Git is not using this certificate, thus I tried configuring Git like so:
>>git config --system http.sslcainfo "C:Program Files (x86)Gitbincurl-ca-bundle.crt"
but this had no effect..
If you get the following error:
fatal: unable to access <git>: SSL certificate problem: self signed certificate in certificate chain
..when trying to clone a git repo, then you can quickly get around it by doing one of the following.
Note that both of these solutions are merely workarounds and should be done at absolute worst case.
Workaround Solution 1
Disable SSL verification while running the git clone.
git -c http.sslVerify=false clone <repository-name>
Workaround Solution 2
Disable SSL verification globally while running the git clone.
git config --global http.sslVerify false
Solution 3 (recommended)
This solution is recommended, but takes a lot more work.
Download the actual certificate/certificate chain from the Git server and install it locally by pointing your --system configuration for http.sslCAPath to it.
git config --system http.sslCAPath /path/to/cacerts
How do you fix self-signed certificate in certificate chain?
If the certificate is self-signed, that means that you have the local cert file itself. You can then:
git config --system http.sslCAPath /your/self-signed/cacerts
How do I remove SSL certificate problem self-signed certificate in certificate chain?
You can follow the above solutions, or workarounds. Remember that it’s best to assign a valid cacerts files. If one doesn’t exist, you can always ignore ssl by passing the -c http.sslVerify=false flag.
What does self-signed certificate in certificate chain mean?
Self-signed certificates are where you have created a certificate yourself to be able to take advantage of TLS/SSL encryption in flight. As you created it yourself, this means that it was not signed by a trusted certificate authority, so other users of the service that uses this self-signed certificate will get a warning saying that the connection is not trusted.
How can I make git accept a self-signed certificate?
You will need to follow one of the steps above, dependent on the one that most meets your needs.