48

I have a corporate git server working through https using self-signed certificate. The local clone contains two remotes — the origin pointing to that server, and another pointing to github. By default pulling from the origin fails:

$ git pull fatal: unable to access 'https://[email protected]/git/fizzbuzz.git/': SSL certificate problem: self signed certificate

The github remote works fine.

There are two often-suggested solutions:

git config http.sslVerify false

which is a bad idea, and the one suggested at configure Git to accept a particular self-signed server certificate for a particular https remote:

git config http.sslCAInfo <downloaded certificate>.pem

which fixes pulling from origin, but break the github remote:

$ git pull github fatal: unable to access 'https://github.com/user/fizzbuzz.git/': SSL certificate problem: unable to get local issuer certificate

How to make pulling from the corporate server work without breaking pulling from github?

Improve this question

2 Answers 2

Reset to default
83

If you are using Git 1.8.5+ (August 2013), you can specify http directives per URL(!).

In your case:

git config --global http."https://code.example.com/".sslVerify false # # or, if not on default 443 port: # git config --global http."https://code.example.com:<aPort>/".sslVerify false

That would disable SSL verification only for code.example.com, not for other URLs.

Or:

git config --global http."https://code.example.com/".sslCAInfo <downloaded certificate>.pem

Same idea: sslCAInfo would point to <downloaded certificate>.pem only for code.example.com URLs.

It is possible to add your certificate in the Git system certificate store, which, with git-for-windows, would be in C:\path\to\PortableGit-2.6.1-64-bit\usr\ssl\certs\ca-bundle.crt.
It isn't the best practice, though, unless you have to distribute a Git distro with internal certificates in it.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

How can you use a wildcard like *.mycompany.com to match all subdomains?
@bbodenmiller I don't know if you can: that would be a good question to ask.
The first example does not seem to work with global. We have a intranet git server with a self signed certificate for which I tried to set sslVerify to false by using the URL example. This makes sense for us, since we have dozens of projects on that domain and it would be annoying to configure this for every single project in the local config file. But it simply does not seem to work.
@IroNEDR What version of Git are you using? The setting is to be set on the client side, not the server side.
@IroNEDR I suppose the issue would persist with Git 2.12? What error message do you see?
|
8

As of v2.5.0 of Git for Windows, the installed certificate file has moved to C:\Program Files (x86)\Git\mingw32\ssl\certs\ca-bundle.crt. You have to add your certs into this file.

Improve this answer

1 Comment

To others, keep in mind Git may be in `C:\Program Files\Git\mingw64` if you have the 64-bit version

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.