9

I have a server setup that has an HTTPS certificate issued by a major certificate provider (DigiCert). The certificate is recognized by all of the browsers on a machine running Windows Server 2008 R2, including Internet Explorer, Chrome, and Firefox.

However, the certificate is not recognized within Cygwin. For example, I get this error when I try to clone a git URL from this server:

error: SSL certificate problem: unable to get local issuer certificate while accessing [URL] fatal: HTTP request failed

Other tools within Cygwin I have tried give the same error, such as curl:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Digicert has the exact certificate I need. My ideal solutions would be to either update the bundle of certificates that Cygwin uses or to manually install the needed certificate. It seems like Cygwin has a separate certificate store from Windows. How can I do this?

Note: I do not want to simply ignore the error, as many users use this machine and will need to access the same server, so it would not make sense to ignore each time.

Improve this question
4
  • But does the server send the certificate chain? Many sites forget to enable that, because web browsers cache previously seen intermediate certs and paper over the problem.
    – grawity_u1686
    Commented Mar 16, 2016 at 14:28
  • The server is one I have configured running Gitlab Community Edition, which uses ngnix. I can try looking into that.
    – Jake
    Commented Mar 16, 2016 at 14:44
  • Please do. gnutls-cli <server> -p 443 or ssl-tools.net/webservers are good ways to check from the outside. If you have Cygwin's ca-certificates package installed, then I'm sure it uses the Mozilla bundle which certainly has DigiCert.
    – grawity_u1686
    Commented Mar 17, 2016 at 5:34
  • @grawity The answer was to install the entire certificate chain. Just noticed I never followed up. Feel free to make it an answer and I'll accept it.
    – Jake
    Commented Sep 30, 2016 at 19:19

1 Answer 1

Reset to default
10

Since your git-command is using Curl internally, try curl --verbose https://the-repo-URL to see what happens.

Expected result is the same error you reported: "SSL certificate problem: unable to get local issuer certificate". Also in the verbose output there should be something like: * successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The error and above output translates as: The X.509 certificate your repository is using is either self-signed and not trusted by Curl or is issued by a Certificate Authority not trusted by Curl. The places we looked for a trust-anchor included /etc/pki/tls/certs/ca-bundle.crt, but we failed to find anything applicable.

To fix this:

  1. (this is the tricky part) Get the self-signed certificate, or the issuing CA root certificate
  2. Store the X.509 certificate in PEM-format to directory /etc/pki/ca-trust/source/anchors
  3. Run command update-ca-trust. Do this with Administrator-permissions. Also note, that this command doesn't output anything.
  4. Done! Test.

Update

The above stands valid, but there is an easier way to do exactly the above. Run this single command:

trust anchor --store [the certificate PEM-file]

Done! Test.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .