RichardHowells RichardHowells - 10 days ago 6
Git Question

Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate

I am using git on Windows. I installed the msysgit package. My test repository has a self signed certificate at the server. I can access and use the repository using http without problems. Moving to https gives the error "SSL Certificate problem: unable to get local issuer certificate".

I have the self signed certificate installed in the Trusted Root Certification Authorities of my Windows 7 - client machine. I can browse to the https repository url in Internet Explorer with no error messages.

This blog http://blogs.msdn.com/b/phkelley/archive/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exe-s-store.aspx explained that curl does not use the client machine's certificate store. I followed the blog post's advice to create a private copy of curl-ca-bundle.crt and configure git to use it. I am sure git is using my copy. If I rename the copy; git complains the file is missing.

I pasted in my certificate, as mentioned in the blog post, I still get the message "unable to get local issuer certificate".

I verified that git was still working by cloning a GitHub Repository via https.

The only thing I see that's different to the blog post is that my certificate IS the root - there is no chain to reach it. My certificate originally came from clicking the IIS8 IIS Manager link 'Create Self Signed Certificate'. Maybe that makes a certificate different in some way to what curl expects.

How can I get git/curl to accept the self signed certificate?

Answer

The answer to this question Using makecert for Development SSL fixed this for me.

I do not know why, but the certificate created by the simple 'Create Self Signed Certificate' link in IIS Manager does not do the trick. I followed the approach in the linked question of creating and installing a self-signed CA Root; then using that to issue a Server Authentication Certificate for my server. I installed both of them in IIS.

That gets my situation the same as the blog post referenced in the original question. Once the root certificate was copy/pasted into curl-ca-bundle.crt the git/curl combo were satisfied.