Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL certificate problem: self signed certificate in certificate chain #646

Closed
ddfridley opened this issue May 25, 2018 · 17 comments
Labels

Comments

@ddfridley
Copy link

@ddfridley ddfridley commented May 25, 2018

I am unable to push to git. I see that there have been changes and I've been upgrading to catch up, but I'm really stuck. I'm sorry to post this, I've been trying to figure it out.

$ git --version
git version 2.17.0.windows.1 // 64 bit

$ git credential-manager version
Git Credential Manager for Windows version 1.16.0

git push origin master
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': SSL certificate problem: self signed certificate in certificate chain

This use to work, but I understand github has gotten more strict about SSL. Fine. But I can't seem to delete the old certificate and create a new one.

On Windows 10 (Home Version 1709 OS Build 16299.431) when I go to Settings and search for "Credential" I see "Credential Manager", "Manage Windows Credentials", and "Manage Web Credentials". When I click on "Credential Manager" (or any of the three) the list disappears and I'm back to the search option. Has credential management been removed from windows?

I've tried

git credential-manager 'delete https://github.com/Synaccord/synaccord.git/
It returns no error, and has no effect on the git push

git config --list //filtered
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
credential.usehttppath=true
credential.helper=manager
http.sslbackend=openssl
credential.manager=--version

I'm stuck. Any ideas would be appreciated.

@gistofj

This comment has been minimized.

Copy link
Contributor

@gistofj gistofj commented May 26, 2018

You will need TLS 1.2 enabled in your operating system, and in the .NET Framework. Windows 10 ought to offer this to you for free, but some people have reported it not happening.

Here's a useful link to help self diagnose: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12

There's also a handy blurb about it on the front page of this project about TLS 1.2.

Another thing I see is that you're using http.sslbackend=openssl, I recommend trying git config --global http.sslbackend schannel and re-trying. That may help.

@gistofj gistofj added the question label May 26, 2018
@Synaccord

This comment has been minimized.

Copy link

@Synaccord Synaccord commented May 29, 2018

Hi, first let me contribute that for anyone else who can't get their Certificate Manager to come up (and I see others have had this problem and people don't understand what your talking about) I can't say why or how to fix it, but here's a direct way to bring it up:
<windows button>-R "control /name Microsoft.CredentialManager"
Then I deleted the credential for above, but I still get the same error message.

I have changed to schannel and I'm getting an error and I do need to upgrade .NET so I will do that and report back.

@Synaccord

This comment has been minimized.

Copy link

@Synaccord Synaccord commented May 29, 2018

When I use schannel I get the error:
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

github has this document:
https://github.com/desktop/desktop/blob/master/docs/known-issues.md#certificate-revocation-check-fails---3326

Saying that schannel has this problem on "some networks" and the workaround is to use openssl

Using openssl I get this error:
fatal: unable to access 'https://github.com/Synaccord/synaccord.git/': SSL certificate problem: self signed certificate in certificate chain

Using the hack above to get to certificate manager, I was able to remove the manually configured url and generic credential. But that had no effect on the result.

Any suggests would help. Thanks.

with
export GIT_CURL_VERBOSE=1
git push origin master

I get this message in my verbose messages:

  • successfully set certificate verify locations:
    CAfile: C:/Users/dfri/git/cacert.pem
    CApath: none
  • STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x3c19870; line 1587 (connection #0)
  • SSL certificate problem: self signed certificate in certificate chain

The cacert.pem is from https://curl.haxx.se/docs/caextract.html

Is it complaining about something in the cacert file, or is it complaining about something in the certificate manager? -- There are other manual generated login/password credentials in the certificate manager.

@shiftkey

This comment has been minimized.

Copy link
Contributor

@shiftkey shiftkey commented May 30, 2018

@Synaccord could you run this command and attach the output to see what certificates you are getting? On my side this is what I see - it'd be nice to see how yours differs.

$ openssl s_client  -connect www.github.com:443
CONNECTED(00000006)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
@ddfridley

This comment has been minimized.

Copy link
Author

@ddfridley ddfridley commented May 30, 2018

@shiftkey -- interesting this is what it said:

openssl s_client  -connect www.github.com:443
CONNECTED(000001E4)
depth=1 O = AO Kaspersky Lab, CN = Kaspersky Anti-Virus Personal Root Certificate
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
 1 s:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
   i:/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
….
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/O=AO Kaspersky Lab/CN=Kaspersky Anti-Virus Personal Root Certificate
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2418 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A1BCEE841D4DBF172402BAF63BC9A80D560ED0FBC8F66B89E692206D3613FD7E
    Session-ID-ctx:
    Master-Key: ************************************************************************
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1527649383
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed`
@Synaccord

This comment has been minimized.

Copy link

@Synaccord Synaccord commented May 30, 2018

@shiftkey So if I go into Kaspersky / settings / protection and turn off Web Anti-Virus then it works! I am able to push to github.com

Thank you!

@shiftkey

This comment has been minimized.

Copy link
Contributor

@shiftkey shiftkey commented May 30, 2018

@Synaccord thanks for confirming the workaround - @ddfridley would the same trick work for you?

@ddfridley

This comment has been minimized.

Copy link
Author

@ddfridley ddfridley commented May 30, 2018

@shifkey yes thanks!

@gistofj

This comment has been minimized.

Copy link
Contributor

@gistofj gistofj commented May 30, 2018

Thank you (again, and as always) @shiftkey for your vast knowledge and willingness to help. 😄 🙇

@gistofj gistofj closed this May 30, 2018
@zahra-soltaninejad

This comment has been minimized.

Copy link

@zahra-soltaninejad zahra-soltaninejad commented Aug 19, 2018

i had this problem and it solved by turning off my VPN

@Restaldt

This comment has been minimized.

Copy link

@Restaldt Restaldt commented Oct 13, 2018

@shiftkey So if I go into Kaspersky / settings / protection and turn off Web Anti-Virus then it works! I am able to push to github.com

This worked for me as well

@darrencole

This comment has been minimized.

Copy link

@darrencole darrencole commented Nov 10, 2018

Thank you soooo much @shiftkey, @ddfridley @Synaccord and others! I had to switch off the Kaspersky firewall as well.

@bheale

This comment has been minimized.

Copy link

@bheale bheale commented Nov 15, 2018

Is there a security risk for your computer when you turn off the firewall? Shouldn't there be a better way then turning off your antivirus program? Thanks, any info helps.

@darrencole

This comment has been minimized.

Copy link

@darrencole darrencole commented Nov 15, 2018

@bheale. What are you trying to do when you get the error?

@bheale

This comment has been minimized.

Copy link

@bheale bheale commented Nov 17, 2018

trying to push to github

@Joy-Giovanni

This comment has been minimized.

Copy link

@Joy-Giovanni Joy-Giovanni commented Jan 22, 2019

thanks to @Synaccord , turning off the web protection worked for me as well

@ArthurZ

This comment has been minimized.

Copy link

@ArthurZ ArthurZ commented Nov 6, 2019

I ran git config --global http.sslVerify false and then was able to clone a repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.