I am unable to push to git. I see that there have been changes and I've been upgrading to catch up, but I'm really stuck. I'm sorry to post this, I've been trying to figure it out.
$ git --version
git version 2.17.0.windows.1 // 64 bit
$ git credential-manager version
Git Credential Manager for Windows version 1.16.0
git push origin master
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': SSL certificate problem: self signed certificate in certificate chain
This use to work, but I understand github has gotten more strict about SSL. Fine. But I can't seem to delete the old certificate and create a new one.
On Windows 10 (Home Version 1709 OS Build 16299.431) when I go to Settings and search for "Credential" I see "Credential Manager", "Manage Windows Credentials", and "Manage Web Credentials". When I click on "Credential Manager" (or any of the three) the list disappears and I'm back to the search option. Has credential management been removed from windows?
I've tried
git credential-manager 'delete https://github.com/Synaccord/synaccord.git/
It returns no error, and has no effect on the git push
git config --list //filtered
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
credential.usehttppath=true
credential.helper=manager
http.sslbackend=openssl
credential.manager=--version
I'm stuck. Any ideas would be appreciated.
You will need TLS 1.2 enabled in your operating system, and in the .NET Framework. Windows 10 ought to offer this to you for free, but some people have reported it not happening.
Here's a useful link to help self diagnose: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12
There's also a handy blurb about it on the front page of this project about TLS 1.2.
Another thing I see is that you're using http.sslbackend=openssl, I recommend trying git config --global http.sslbackend schannel and re-trying. That may help.
Hi, first let me contribute that for anyone else who can't get their Certificate Manager to come up (and I see others have had this problem and people don't understand what your talking about) I can't say why or how to fix it, but here's a direct way to bring it up:
<windows button>-R "control /name Microsoft.CredentialManager"
Then I deleted the credential for above, but I still get the same error message.
I have changed to schannel and I'm getting an error and I do need to upgrade .NET so I will do that and report back.
When I use schannel I get the error:
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
github has this document:
https://github.com/desktop/desktop/blob/master/docs/known-issues.md#certificate-revocation-check-fails---3326
Saying that schannel has this problem on "some networks" and the workaround is to use openssl
Using openssl I get this error:
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': SSL certificate problem: self signed certificate in certificate chain
Using the hack above to get to certificate manager, I was able to remove the manually configured url and generic credential. But that had no effect on the result.
Any suggests would help. Thanks.
with
export GIT_CURL_VERBOSE=1
git push origin master
I get this message in my verbose messages:
The cacert.pem is from https://curl.haxx.se/docs/caextract.html
Is it complaining about something in the cacert file, or is it complaining about something in the certificate manager? -- There are other manual generated login/password credentials in the certificate manager.
@Synaccord could you run this command and attach the output to see what certificates you are getting? On my side this is what I see - it'd be nice to see how yours differs.
$ openssl s_client -connect www.github.com:443
CONNECTED(00000006)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
@shiftkey -- interesting this is what it said:
openssl s_client -connect www.github.com:443
CONNECTED(000001E4)
depth=1 O = AO Kaspersky Lab, CN = Kaspersky Anti-Virus Personal Root Certificate
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
1 s:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
….
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2418 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A1BCEE841D4DBF172402BAF63BC9A80D560ED0FBC8F66B89E692206D3613FD7E
Session-ID-ctx:
Master-Key: ************************************************************************
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1527649383
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed`
@shiftkey So if I go into Kaspersky / settings / protection and turn off Web Anti-Virus then it works! I am able to push to github.com
Thank you!
@Synaccord thanks for confirming the workaround - @ddfridley would the same trick work for you?
@shifkey yes thanks!
Thank you (again, and as always) @shiftkey for your vast knowledge and willingness to help. 😄 🙇
i had this problem and it solved by turning off my VPN
@shiftkey So if I go into Kaspersky / settings / protection and turn off Web Anti-Virus then it works! I am able to push to github.com
This worked for me as well
Thank you soooo much @shiftkey, @ddfridley @Synaccord and others! I had to switch off the Kaspersky firewall as well.
Is there a security risk for your computer when you turn off the firewall? Shouldn't there be a better way then turning off your antivirus program? Thanks, any info helps.
@bheale. What are you trying to do when you get the error?
trying to push to github
thanks to @Synaccord , turning off the web protection worked for me as well
I ran git config --global http.sslVerify false and then was able to clone a repo.
I ran
git config --global http.sslVerify falseand then was able to clone a repo.
That is the perfect answer.
I ran
git config --global http.sslVerify falseand then was able to clone a repo.
Please note that this is worse than using a non-HTTPS URL: it gives you the false sense of security, when in fact http.sslVerify= false opens the door for anybody who can meddle with your network connections to fool you into cloning/fetching malicious payload via a "secure" line: all they need is a bogus SSL certificate and you will be none the wiser.
It is rather dangerous and misleading to even suggest http.sslVerify = false as a "solution". Your Git worktrees and repositories are very, very much not secure after setting that.
I ran
git config --global http.sslVerify falseand then was able to clone a repo.Please note that this is worse than using a non-HTTPS URL: it gives you the false sense of security, when in fact
http.sslVerify= falseopens the door for anybody who can meddle with your network connections to fool you into cloning/fetching malicious payload via a "secure" line: all they need is a bogus SSL certificate and you will be none the wiser.It is rather dangerous and misleading to even suggest
http.sslVerify = falseas a "solution". Your Git worktrees and repositories are very, very much not secure after setting that.
@dscho if somebody can meddle with my network connections then I am doomed even without this command in a worst way than that.
However this begs a question why such a command is allowed in the first place?
It is rather dangerous and misleading to even suggest
http.sslVerify = falseas a "solution". Your Git worktrees and repositories are very, very much not secure after setting that.@dscho if somebody can meddle with my network connections then I am doomed even without this command in a worst way than that.
Sure, _you_ may even be able to say with absolute certainty that your network is safe. But that is not what I was talking about.
There has been a misconception that the suggestion to set http.sslVerify is a good one. It is not. It is unsafe. You have to be very familiar with the implications to do it. If you do not, you open yourself to attacks.
And having such a suggestion without even the trace of such a stern warning is negligent.
However this begs a question why such a command is allowed in the first place?
It is allowed because it is helpful in certain circumstances, when used _with care_. The setting is obscure enough that regular users won't find it, and as a consequence do not open themselves to attack.
However, in this ticket it was suggested without context, without warning, and that is just wrong. You don't do that to other users.
Does that clear up my objection?
However, in this ticket it was suggested without context, without warning, and that is just wrong. You don't do that to other users.
Or maybe I am reading "This is the perfect answer" wrong. But then, I suspect that _most_ users will read this wrong. It is absolutely, definitely, certainly _not_ the perfect answer, at all.
If you have an issue with revocation test with schannel, using option to not do revocation test is a better option than fully disabling Certificate Checks:
git config --global http.schannelCheckRevoke "false"
However, once the certificate configuration is done I still get an authentication failed via the credential manager for windows: fatal: Authentication failed
This only happens when ssl inspection is occuring. With SSL inspetion off, authentication works.
Anyone knows about issues between SSL inspection and authentication?
Please note that Git for Windows v2.26.0 defaults to a new "best effort" revocation checking where no longer fails if there is no revocation list URL in the certificate (which is the case for many/all self-signed certificates) or when that URL's server is offline.
This fixed the problem for me
https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows
Most helpful comment
@shiftkey So if I go into Kaspersky / settings / protection and turn off Web Anti-Virus then it works! I am able to push to github.com
Thank you!