HTTPS, GIT, and Enterprise certficates

So I was setting up my GOGS internally so my sons could have a place to push code (and so I could host my many never-completed projects) and I ran across an issue with git not liking my certificate on the HTTPS server. Its not self-signed, but it is from my internal CA. This is windows-land so its already trusted (AD CS) by the OS, but apparently not by the default git install. The specific issue was this [with some redaction]:

Cloning into '{PROJECT}'...
fatal: unable to access 'https://{SERVER}/{USER}/{PROJECT.git/': SSL certificate problem: unable to get local issuer certificate

So I of course did some intertube-searching and came accross many an article about this same problem:

• Error: SSL certificate problem: unable to get local issuer certificate
• Adding a corporate (or self-signed) certificate authority to git.exe�s store
• Git for Windows 2.6.3 on Win10
• Git ssl error on windows
• GIT FOR WINDOWS WITH TFS AND SSL BEHIND A PROXY
• Git and https / SSL

The all pretty much suggested the same thing (though depending on the date of the article the exact details change), use a custom CRT file with your root cert…well guess what…IT DID NOT WORK!!!

So it was mildly frustrating that everyone keeps saying to do the same thing and it will work. People were even commenting on how it worked for them…yet it doesn’t for me…HENCE THIS BLOG POST!!!

After tooling around with ProcMon and watching the git executables NOT read the CRT over and over again (despite being correctly set in .gitconfig) I was leaning towards a bug in git…but just because I can blame someone else for the problem doesn’t help me solve the issue.

I next went and took a look at all the different settings that were currently set in the various git config files:

git config --list --show-origin

From this I ran across the setting http.sslbackend and began to wonder what other backends were available since openssl isn’t doing the trick for me. That line of thinking lead me to this post: git not working after setting http.sslBackend config…which had this command: git config --global http.sslBackend schannel

oh boy…use the windows native schannel as the SSL backend…I’m sold…and guess what…IT WORKS!!!

So there you go, no mucking around with custom CRT files just use what you’ve already got setup in the windows cert stores!

YMMV