github: server certificate verification failed
GitGithubDebianGit Problem Overview
I just created a github account and a repository therein, but when trying to create a local working copy using the recommende url via
git clone https://github.com/<user>/<project>.git
I get an error like
> fatal: unable to access 'https://github.com/<user>/<project>.git';: server certificate verification failed. CAfile: /home/<user>/.ssl/trusted.pem CRLfile: none
I'm on Debian Jessie, and I would have expected both Debian and GitHub to provide / rely on a selection of commonly accepted CAs, but apparently my system doesn't trust GibHub's certificate.
Any simple way to fix this (without the frequently recommended "GIT_SSL_NO_VERIFY=true" hack and similar work-arounds)?
EDIT:
Additional information:
-
The ca-certificate package is installed.
-
Installing cacert.org's certificates as suggested by @VonC didn't change anything.
-
My personal ~/.ssl/trusted.pem file does contain a couple of entries, but to be honest, I don't remember where the added certificates came from...
-
When removing ~/.ssl/trusted.pem, the git error message changes to
fatal: unable to access 'https://github.com/tcrass/scans2jpg.git/': Problem with the SSL CA cert (path? access rights?)
EDIT:
@VonC's advice regarding the git https.sslCAinfo option put me on the right track -- I just added the downloaded cacert.org CAs to my trusted.pem, and now git doesn't complain anymore.
Git Solutions
Solution 1 - Git
You can also disable SSL verification, (if the project does not require a high level of security other than login/password) by typing :
git config --global http.sslverify false
enjoy git :)
Solution 2 - Git
Make sure first that you have certificates installed on your Debian in /etc/ssl/certs
.
If not, reinstall them:
sudo apt-get install --reinstall ca-certificates
Since that package does not include root certificates, add:
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates
Make sure your git does reference those CA:
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
Jason C mentions another potential cause (in the comments):
> It was the clock. The NTP server was down, the system clock wasn't set properly, I didn't notice or think to check initially, and the incorrect time was causing verification to fail.
Solution 3 - Git
I also was having this error when trying to clone a repository from Github on a Windows Subsystem from Linux console:
> fatal: unable to access 'http://github.com/docker/getting-started.git/';: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
The solution from @VonC on this thread didn't work for me.
The solution from this Fabian Lee's article solved it for me:
openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > github-com.pem
cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Solution 4 - Git
It can be also self-signed certificate, etc. Turning off SSL verification globally is unsafe. You can install the certificate so it will be visible for the system, but the certificate should be perfectly correct.
Or you can clone with one time configuration parameter, so the command will be:
git clone -c http.sslverify=false https://myserver/<user>/<project>.git;
GIT will remember the false value, you can check it in the <project>/.git/config
file.
Solution 5 - Git
I had a similar problem and got the error message:
fatal: unable to access XXXX server certificate verification failed. CAfile: none CRLfile: none
It suddenly happened when I had tried to connect to my regular (WORKING!) gitlab server, SSL created with letsencrypt, from git under WSL2 ubuntu.
There were no problems accessing the server from the browser, the SSL chain seemed OK when checking with tools like https://www.sslshopper.com/ssl-checker.html
you need to update your CA certificates.
sudo apt update
sudo apt upgrade
sudo apt-get install --reinstall ca-certificates
sudo update-ca-certificates
# now it should work perfectly
git pull
it might happend because of this:
https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
Solution 6 - Git
Another possible cause is that the clock of your machine is not synced (e.g. on Raspberry Pi). Check the current date/time using:
$ date
If the date and/or time is incorrect, try to update using:
$ sudo ntpdate -u time.nist.gov
Or, on a virtual machine (e.g. Ubuntu VirtualBox):
$ timedatectl set-ntp no
$ timedatectl set-time YYYY-MM-DD
$ timedatectl set-time HH:MM:SS
$ timedatectl set-ntp yes
Solution 7 - Git
To me a simple
sudo apt-get update
solved the issue. It was a clock issue and with this command it resets to the current date/time and everything worked
Solution 8 - Git
What worked for me when getting such an error (happened with gitlab for me):
fatal: unable to access 'https://github.com/<user>/<project>.git': server certificate verification failed. CAfile: /home/<user>/.ssl/trusted.pem CRLfile: none
was to get the .pem
file from the certificate page of the website (accessible when clicking on the lock icon left of the url) and directly copy it into the folder /etc/ssl/certs/
. From there, git was able again to interact with gitlab.
Solution 9 - Git
For me, simply removing sudo
solved.
I was trying to sudo git clone ...
, just doing a git clone
worked.
Solution 10 - Git
Try to connect to repositroy with url: http://github.com/<user>/<project>.git
(http except https)
In your case you should clone like this:
git clone http://github.com/<user>/<project>.git