The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,640 other followers

Enabling GIT_CURL_VERBOSE to research “unable to get local issuer certificate”

Posted by jpluimers on 2015/05/28

A while ago, I was fighting a corporate web proxy playing Man-in-the-Middle on all https sessions.

Though playing MitM on your employees is a debatable thing to do (especially without informing the employees, and illegal in certain countries, I had to get a GIT connection to the outside world working.

This helped tracking it down: GIT_CURL_VERBOSE “unable to get local issuer certificate”.

What I finally did was this:

  1. obtain the CA certificate that issues the MitM certificate in base-64 CRT form (which is the same as the PEM form):
  2. added it at the top of either of these files:
    • "%ProgramFiles%\Git\bin\curl-ca-bundle.crt"
    • "%ProgramFiles(x86)%\Git\bin\curl-ca-bundle.crt"
  3. added it to the top of either of these files:
    • "%ProgramFiles%\Mercurial\cacert.pem"
    • "%ProgramFiles(x86)%\Mercurial\cacert.pem"

–jeroen

PS: These were the failures I was getting:

Git (using the CURL verbose setting)

C:\Temp>set GIT_CURL_VERBOSE=1
C:\Temp>git clone https://bitbucket.org/jeroenp/fastmm.git
Cloning into 'fastmm'...
* Couldn't find host bitbucket.org in the _netrc file; using defaults
* Adding handle: conn: 0x224d838
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x224d838) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy localhost port 3128 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 3128 (#0)
* Establish HTTP proxy tunnel to bitbucket.org:443
> CONNECT bitbucket.org:443 HTTP/1.1
Host: bitbucket.org:443
User-Agent: git/1.9.4.msysgit.0
Proxy-Connection: Keep-Alive
Pragma: no-cache

< HTTP/1.0 200 Connection established
< Connection: close
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt
  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
fatal: unable to access 'https://bitbucket.org/jeroenp/fastmm.git/': SSL certificate problem: unable to get local issuer certificate

Hg (using the –debug command option)

C:\Temp>hg --debug clone https://bitbucket.org/jeroenp/besharp.net
using https://bitbucket.org/jeroenp/besharp.net
proxying through http://localhost:3128
sending capabilities command
abort: error: _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: