Git seems to recognize http.sslcainfo property from .gitconfig but ignores it on execution? SEC_E_UNTRUSTED_ROOT

Question

all, I have a working certificates chain (testable with OpenSSL) but somehow I cannot manage to tell Git to load these certificates.

I get the same "untrusted root authority" error (SEC_E_UNTRUSTED_ROOT) independently of whether my git configuration points to an existing or a fake certificate chain file.

For details, please check the attached screenshot.

Setting I use in .gitconfig for fake file:

sslCAInfo = C:/tmp/foobar.crt

or, for real file which works with OpenSSL:

sslCAInfo = C:/tmp/ca-bundle.crt

Console transcript:

C:\tmp>openssl version
OpenSSL 0.9.8h 28 May 2008

C:\tmp>git --version
git version 2.12.2.windows.2

C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/ca-bundle.crt

C:\tmp>dir
24.04.2017 13:45 10.875 ca-bundle.crt

c:\tmp>openssl s_client -state -connect https://mygithost:443 -CAfile .\ca-bundle.crt

Verify return code: 0 (ok)

C:\tmp git clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

C:\tmp> git -c http.sslverify=false clone https://mygithost/bitbucket/scm/my.git
Cloning into ...
Resoliving deltas: 100%, done.

C:\tmp>git config --list
http.sslverify=true
http.sslcainfo=C:/tmp/foobar.crt

C:\tmp\xxx\git pull
fatal: unable to access ... : schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Answer 1

Been hit by this just today after a fresh install so here's how I got over it:

From your logs (emphasis is mine):

fatal: unable to access ... : schannel: next InitializeSecurityContext failed:

git is configured to use schannel (windows native implementation), but schannel use windows certs bundle and not a the cainfo bundle.

To switch to openssl to use a custom bundle file use this:

git config --system http.sslbackend openssl

And now git will honor the CA bundle passed in http.sslcainfo.

Alternatively as my error was a problem of cypher suite you may be interested by the following links:

• https://support.microsoft.com/en-us/help/3161639
• in case you have still an old system (Win2k3) https://support.microsoft.com/en-us/help/948963/an-update-is-available-to-add-support-for-the-tls-rsa-with-aes-128-cbc

Answer 2

I had something similar a year ago, so I hope I remember -

You should have all the certificate chain in the crt file. Verify that you have all the intermediate certificates between your bitbucket certificate and the root one (inclusive).

You can have a look at the correct format for appending them in the pem format (which I believe is your case with the crt) over here.

My certificate was signed by Comodo when I had that issue, their certificate and the intermediate weren't in the default ca-bundle supplied by most systems.

Hope that helps!

Edit: Now I noticed it happens also with the fake one - try to check the systems default known certificates (each system has such). On windows you can go to the Windows Certificates mmc snap-in.