148

Currently I have the following entry in my .gitconfig in my user directory.

... [http] sslCAInfo=C:\\Users\\julian.lettner\\.ssh\\git-test.pem ...

This sets the certificate to use when interacting with the git server (required by my company's git server).

But now I cannot clone other repositories (for example a public repository on GitHub), because the client always uses the configured certificate which gets rejected by other servers.

How can I circumvent this certification issue? Can I configure Git to use the Windows Certificate Store to authenticate?

Improve this question
4

2 Answers 2

Reset to default
422

Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer. This means that it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism.

From the Git for Windows 2.14 release notes:

It is now possible to switch between Secure Channel and OpenSSL for Git's HTTPS transport by setting the http.sslBackend config variable to "openssl" or "schannel"; This is now also the method used by the installer (rather than copying libcurl-4.dll files around).

You can choose the new SChannel mechanism during the installation of Git for Windows 2.14. You can also update an existing installation to use SChannel by running:

git config --global http.sslBackend schannel

Once you have configured this, Git will use the Windows certificate store and should not require (and, in fact, should ignore) the http.sslCAInfo configuration setting.

Improve this answer
Sign up to request clarification or add additional context in comments.

17 Comments

Seems like this should be the right way. However, I got this error: fatal: unable to access '...': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. But this may be a problem with the certificate itself.
The latest version of git 2.17.1.2 comes bundled with libcurl and this will still read http.sslCAInfo and if it's contains errors it will still throw an ssl verification issue. please see developercommunity.visualstudio.com/content/problem/267483/… for more detail.
Worked. had to run this with administrator privileges
@FranklinYu Git for Windows is a fork of git - the documentation you're pointing to is not the official documentation for Git for WIndows; you're pointing to the git documentation itself. You might find this mentioned in the official documentation for Git for Windows at gitforwindows.org (but it's possible that it is indeed missing from the official documentation). I regret that this is confusing.
Does anybody know if there's a way to extend this configuration to the curl that comes with git for windows? I'd like it to extend trust based on the system CA store.
|
12

Use:

git config --local ...

To specify per-repository settings. Local settings are stored in the .git directory.

An overview of the three locations where git can store settings:

  • --local: Repository specific, <repo_dir>/.git/config
  • --global: User-specific, ~/.gitconfig
  • --system: System default, /etc/gitconfig

More specific ones override more general settings, i.e. local overrides both global and system.

Improve this answer

3 Comments

Is there really no way to have Git for Windows accept the trusted root CAs already configured in the operating system?
I haven't found a way to make git use the root CA. You can turn off certificate valiadation with the git config --global http.sslVerify false setting, or the GIT_SSL_NO_VERIFY=true environment variable
@Andomar 10 years later, same problem still persist, on any WIndows version, but not on every instance. The only common ground between systems where it is happening is that user doesn't have machine admin rights but it's unclear if that's the actual reason.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.