SSL certificate rejected trying to access GitHub over HTTPS behind firewall

I'm stuck behind a firewall so have to use HTTPS to access my GitHub repository. I'm using cygwin 1.7.7 on Windows XP.

I've tried setting the remote to https://username@github.com/username/ExcelANT.git , but pushing prompts for a password, but doesn't do anything once I've entered it. https://username:<password>github.com/username/ExcelANT.git and cloning the empty repo from scratch but each time it gives me the same error

error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

Turning on GIT_CURL_VERBOSE=1 gives me

* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
* About to connect() to github.com port 443 (#0)
* Trying 207.97.227.239... * successfully set certificate verify locations:
* CAfile: none
CApath: /usr/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Expire cleared
* Closing connection #0
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs

fatal: HTTP request failed

Is this a problem with my firewall, cygwin or what?

I hadn't set the HTTP proxy in the Git config, however it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force git to use NTLM, I'm scuppered.

Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.

We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.

The commandline is as follows :

$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon

eg:

abc:very_secret

Installation for using "normal" ssh protocol for git communication

By adding this to the ~/.ssh/config this trick can be used for normal ssh connections.

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

now you can test it works by ssh-ing to gitproxy

pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.
pti@pti-laptop:~$

(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).

A slight variant on this method is the case when you need to access a repository with another key, eg to separate your private account from your professional account.

# 
# account dedicated for the ACME private github account 
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

enjoy!

We've been using this for years now on both Linux, Macs and Windows.

If you want you can read more about it in this blog post

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

$ env GIT_SSL_NO_VERIFY=true git clone https://github...

$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
  awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash

The easiest way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only:

git config http.sslVerify false

Note: disabling SSL verification has security implications . It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution.

上一篇: 为什么GitHub HTTPS方案总是要求我输入密码？

下一篇: SSL证书被拒绝，试图通过HTTPS在防火墙后面访问GitHub