Git: Cannot Clone a Repo

Created on 21 Mar 2018 · 9Comments · Source: git-for-windows/git

[ x ] I was not able to find an open or closed issue matching what I'm seeing

Setup

Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.14.1.windows.1
built from commit: 82d9b3f3b2407b52251620597d4b14933685459d
sizeof-long: 4
machine: x86_64

Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 6.1.7601]

What options did you set as part of the installation? Or did you choose the
defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Path Option: Cmd
SSH Option: OpenSSH
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled

Any other interesting things about your environment that might be related
to the issue you're seeing?

I am behind a proxy. Here's the output of my git config -l --show-origin command:
file:"C:\ProgramData/Git/config" core.symlinks=false
file:"C:\ProgramData/Git/config" core.autocrlf=true
file:"C:\ProgramData/Git/config" core.fscache=true
file:"C:\ProgramData/Git/config" color.diff=auto
file:"C:\ProgramData/Git/config" color.status=auto
file:"C:\ProgramData/Git/config" color.branch=auto
file:"C:\ProgramData/Git/config" color.interactive=true
file:"C:\ProgramData/Git/config" help.format=html
file:"C:\ProgramData/Git/config" rebase.autosquash=true
file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslbackend=openssl
file:"C:\Program Files\Git\mingw64/etc/gitconfig" diff.astextplain.textconv=astextplain
file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.clean=git-lfs clean -- %f
file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.smudge=git-lfs smudge -- %f
file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.required=true
file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.process=git-lfs filter-process
file:"C:\Program Files\Git\mingw64/etc/gitconfig" credential.helper=manager
file:H://.gitconfig https.proxy=http://webproxy.bankofamerica.com:8080
file:H://.gitconfig http.proxy=http://webproxy.bankofamerica.com:8080

Details

Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Git Bash and Cmd

What commands did you run to trigger this issue? If you can provide a
Minimal, Complete, and Verifiable example
this will help us understand the issue.

git clone https://github.com/planetoftheweb/learnangular5.git learnangular5

What did you expect to occur after running these commands?

The repo being cloned.

What actually happened instead?

Cloning into 'learnangular5'...
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/':
SSL certificate problem: unable to get local issuer certificate

If the problem was occurring with a specific repository, can you provide the
URL to that repository to help us with testing?

https://github.com/planetoftheweb/learnangular5.git

unclear

Source

calioto

All 9 comments

Could you try again after setting the environment variables GIT_TRACE=1 and GIT_TRACE_CURL=1?

dscho on 22 Mar 2018

Here's the output from that:
13:51:31.554961 git.c:328 Cloning into 'learnangular5'...
13:51:31.926961 run-command.c:626 13:51:32.072961 git.c:560 13:51:32.090961 run-command.c:626 13:51:32.346961 http.c:662 13:51:32.347961 http.c:662 13:51:32.360961 http.c:662 13:51:32.360961 http.c:662 13:51:32.388961 http.c:662 13:51:32.388961 http.c:662 13:51:32.388961 http.c:662 13:51:32.388961 http.c:609 13:51:32.388961 http.c:621 13:51:32.388961 http.c:621 13:51:32.388961 http.c:621 13:51:32.388961 http.c:621 13:51:32.388961 http.c:621 13:51:32.415961 http.c:609 13:51:32.415961 http.c:621 13:51:32.415961 http.c:609 13:51:32.416961 http.c:621 13:51:32.416961 http.c:662 13:51:32.416961 http.c:662 13:51:32.681961 http.c:662 13:51:32.681961 http.c:662 13:51:32.691961 http.c:662 13:51:32.691961 http.c:662 CApath: none
13:51:32.691961 http.c:662 13:51:32.691961 http.c:635 13:51:32.691961 http.c:650 13:51:32.691961 http.c:662 13:51:32.691961 http.c:635 13:51:32.691961 http.c:650 13:51:32.691961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:650 13:51:32.692961 http.c:662 13:51:32.692961 http.c:662 13:51:32.720961 http.c:635 13:51:32.721961 http.c:650 13:51:32.721961 http.c:662 13:51:32.721961 http.c:635 13:51:32.721961 http.c:650 13:51:32.721961 http.c:650 13:51:32.721961 http.c:635 13:51:32.721961 http.c:650 13:51:32.722961 http.c:662 13:51:32.722961 http.c:635 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.722961 http.c:650 13:51:32.723961 http.c:650 13:51:32.723961 http.c:650 13:51:32.723961 http.c:650 13:51:32.728961 http.c:650 13:51:32.728961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:650 13:51:32.729961 http.c:635 13:51:32.729961 http.c:650 13:51:32.730961 http.c:662 13:51:32.730961 http.c:635 13:51:32.730961 http.c:650 13:51:32.730961 http.c:662 13:51:32.730961 http.c:662 13:51:32.730961 http.c:662 13:51:32.730961 http.c:635 13:51:32.730961 http.c:650 13:51:32.730961 http.c:662 13:51:32.730961 http.c:635 13:51:32.730961 http.c:650 fatal: unable to trace: built-in: git 'clone' 'https://github.com/planetoftheweb/learnangular5.git' 'learnangular5'
trace: run_command: 'remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
trace: exec: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
trace: run_command: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
== Info: Couldn't find host github.com in the _netrc file; using defaults
== Info: timeout on name lookup is not supported
== Info: Trying 171.148.165.61...
== Info: TCP_NODELAY set
== Info: Connected to webproxy.bankofamerica.com (171.148.165.61) port 8080 (#0)
== Info: allocate connect buffer!
== Info: Establish HTTP proxy tunnel to github.com:443
=> Send header, 0000000121 bytes (0x00000079)
=> Send header: CONNECT github.com:443 HTTP/1.1
=> Send header: Host: github.com:443
=> Send header: User-Agent: git/2.14.1.windows.1
=> Send header: Proxy-Connection: Keep-Alive
=> Send header:
<= Recv header, 0000000037 bytes (0x00000025)
<= Recv header: HTTP/1.1 200 Connection established
<= Recv header, 0000000002 bytes (0x00000002)
<= Recv header:
== Info: Proxy replied OK to CONNECT request
== Info: CONNECT phase completed!
== Info: ALPN, offering http/1.1
== Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
== Info: successfully set certificate verify locations:
== Info: CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
== Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
=> Send SSL data, 0000000005 bytes (0x00000005)
=> Send SSL data: .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 0000000512 bytes (0x00000200)
=> Send SSL data: ......e.....].C}k....'.... .N.....C......0.,.(.$...........
=> Send SSL data: ..k.j.i.h.9.8.7.6.........2....&.......=.5.../.+.'.#.......
=> Send SSL data: ......g.@.?.>.3.2.1.0.........E.D.C.B.1.-.).%.......<./...A.
=> Send SSL data: ........................3.........github.com................
=> Send SSL data: ........................... ................................
=> Send SSL data: .....3t.........http/1.1....................................
=> Send SSL data: ............................................................
=> Send SSL data: ............................................................
=> Send SSL data: ................................
== Info: CONNECT phase completed!
== Info: CONNECT phase completed!
<= Recv SSL data, 0000000005 bytes (0x00000005)
<= Recv SSL data: ....b
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 0000000098 bytes (0x00000062)
<= Recv SSL data: ...^..Z..0]....y>....Aj....E.Z......x lj........j..d.y(s.8
<= Recv SSL data: .@ip|GC...Z.0.........................
<= Recv SSL data, 0000000005 bytes (0x00000005)
<= Recv SSL data: .....
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 0000001267 bytes (0x000004f3)
<= Recv SSL data: [email protected].'0....H........0..1
<= Recv SSL data: "0 ..U....amrs-G2.bankofamerica.com1.0...U....US1.0...U....N
<= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We
<= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0..
<= Recv SSL data: 1.0...U....Private Organization1.0...+.....7<.....US1.0...+.
<= Recv SSL data: ....7<.....Delaware1.0...U....51575501$0"..U....88 Colin P K
<= Recv SSL data: elly, Jr Street1.0...U....941071.0...U....US1.0...U....Calif
<= Recv SSL data: ornia1.0...U....San Francisco1.0...U....GitHub, Inc.1.0...U.
<= Recv SSL data: ...github.com0.."0....H.............0.........vH|.⌂........
<= Recv SSL data: ......Vb.....e...q..;5..%N....MZ.$\F]...cp.} .H-.|.mP.[cY..
<= Recv SSL data: .,...E..X.J(g...I,.A.....R+..8lV6.q6.OY........Y&F"Y-.s..x} <= Recv SSL data: -..B....bk.X....e.(92+R.Ru...........G\S...h.j7V.}T.⌂....{.
<= Recv SSL data: [email protected]?y..u.G.q..3]."o
<= Recv SSL data: ..........0..0f..`.H...B...Y.W/C=US/O=DigiCert Inc/OU=www.di
<= Recv SSL data: gicert.com/CN=DigiCert SHA2 Extended Validation Server CA0..
<= Recv SSL data: .U....0.0...U......E.}....83....UBvU .0...U........0%..U...
<= Recv SSL data: .0...github.com..www.github.com0....H...............J.$dJ..
<= Recv SSL data: .-m.(Y....@ ...dL....bG.1.......Nt... .2......pCe...eS....x
<= Recv SSL data: .Y...Sldv.;n..........{.4...<...D.....Fb..t.)j.{17)...@.?<..
<= Recv SSL data: F..m .......E....j......T.[..MX..Vn....s...*.....M..Q.W.H...
<= Recv SSL data: @YKa.6..J~..?w.g......:..e..7x....>........;..D....;q%...r..
<= Recv SSL data: C....[.
=> Send SSL data, 0000000005 bytes (0x00000005)
=> Send SSL data: .....
== Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
=> Send SSL data, 0000000002 bytes (0x00000002)
=> Send SSL data: .0
== Info: SSL certificate problem: unable to get local issuer certificate
== Info: stopped the pause stream!
== Info: Closing connection 0
=> Send SSL data, 0000000005 bytes (0x00000005)
=> Send SSL data: .....
== Info: TLSv1.2 (OUT), TLS alert, Client hello (1):
=> Send SSL data, 0000000002 bytes (0x00000002)
=> Send SSL data: ..
access 'https://github.com/planetoftheweb/learnangular5.git/': SSL certificate problem: unable to get local issuer certificate

calioto on 22 Mar 2018

@dscho Any update on this?

calioto on 28 Mar 2018

@calioto not really. I do not understand enough about the details of OpenSSL to make sense of this log.

But I do have a suspicion that this tells us what might be wrong:

13:51:32.722961 http.c:650 <= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We
13:51:32.722961 http.c:650 <= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0..

As I cannot find any public information on the web, I can only offer the conjecture that this proxy rewrites SSL certificates, and expects the host machine to have a special extra "root certificate" installed so that those rewritten SSL certificates are accepted.

You could possibly validate this suspicion by running

git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5

If this works, then that would confirm my suspicion (and also that your system administrator(s) installed said root certificate).

If this conjecture is correct, the easiest way forward would be to choose Secure Channel as HTTPS transport in the Git for Windows installer.

If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it (and possibly convert it into a suitable format using the openssl.exe of Git for Windows). Another, possibly easier way, would be to direct your web browser to https://github.com and then inspect the certificate chain, again extracting the root certificate from there.

Please do let us know of any developments on your side.

dscho on 30 Mar 2018

🎉1

@dscho I ran the the above you mentioned

git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5

and got back the following

Cloning into 'learnangular5'...
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Do you have any other suggestions?

calioto on 30 Mar 2018

fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Of course! The Secure Channel code in cURL still has problems with accessing revocation information (I think because it tries to use the proxy when it should not...)

Do you have any other suggestions?

Yes, of course! I mentioned them in the latter part of https://github.com/git-for-windows/git/issues/1574#issuecomment-377528758: try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt, and add it to that file.

dscho on 30 Mar 2018

Do you have any other suggestions?

Yes, of course! I mentioned them in the latter part of #1574 (comment): try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt, and add it to that file.

Did that help?

dscho on 4 Apr 2018

🎉1

Thanks, that worked for me :) --In my case I think corporate proxy is rewriting certificates as you suggest.

If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it

gerardbosch on 18 Jul 2018

🎉1

Well, I'll just assume that my suggestion helped. As for the revoke check, we now have http.schannel.CheckRevoke that can be set to false to work around that issue.

dscho on 27 Feb 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings