Git: client error, server certificate verification failed

Especially with private git repositories that may be self-signed or have private CA, you may get the following error from the git client after a certificate has been updated:

fatal: unable to access 'https://git.mycompany.com/myuser/myrepo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

This means that the git client cannot verify the integrity of the certificate chain or root.  The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.

Do not take the shortcut of using environment variables or git config to suppress ssl verification.

Update list of public CA

The first thing I would recommend is to simply update the list of root CA known to the system as show below.

# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates

This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.

Fetch certificates, direct connection

The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates.  This can be done by using openssl to pull the certificates from the remote host:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.

 

Fetch certificates, web proxy

If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher.   But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.
# install socat
sudo apt-get install socat -y

# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem

Add certificate to local certificate list

Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”.  This file will contain the certificate, its intermediate chain, and root CA certificate.
The next step is to have this considered by the git client when connecting to the git server.  This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.
Adding globally
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Adding for single user
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig
[http "https://git.mycompany.com/"]
        sslCAInfo = /home/user/git-mycompany-com.pem

Avoid workarounds

Avoid workarounds that skip SSL certification validation.  Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.
git config --global http.sslverify false

export GIT_SSL_NO_VERIFY=true

 

 

REFERENCES

 

 

NOTES
Quick test of git connectivity using squid proxy
git config --global http.proxy http://mysquid:3128
GIT_SSL_NO_VERIFY=true git clone https://git/user/repo.git