“Server certificate verification failed” error with command line Git client

Some guy described the same situation about 10 years ago on stackoverflow.com and there was another discussion about 7 years ago.

First I did:

GIT_CURL_VERBOSE=1 git clone https://git.developernote.com/examples.git
Cloning into 'examples'...
* Couldn't find host git.developernote.com in the .netrc file; using defaults
*   Trying 139.162.243.103...
* TCP_NODELAY set
* Connected to git.developernote.com (139.162.243.103) port 443 (#0)
* found 129 certificates in /etc/ssl/certs/ca-certificates.crt
* found 387 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* stopped the pause stream!
* Closing connection 0
fatal: unable to access 'https://git.developernote.com/examples.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Then I found this wonderland comment:

and did:

sudo apt update
sudo apt-get install apt-transport-https ca-certificates -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.2.35).
ca-certificates is already the newest version (20210119~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done

The version of the certificates 20210119~16.04.1 includes my Ubuntu 16.04 LTS that is not supported, Ubuntu 18.04 LTS certificates version is 20210119~18.04.1, but after the update they become 20210119~18.04.2:

sudo apt update
sudo apt-get install apt-transport-https ca-certificates -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.6.14).
The following packages were automatically installed and are no longer required:
  libarchive13 libjsoncpp1 librhash0
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 70 not upgraded.
Need to get 145 kB of archives.
After this operation, 2048 B disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 ca-certificates all 20210119~18.04.2 [145 kB]
Fetched 145 kB in 0s (329 kB/s)
Preconfiguring packages ...
(Reading database ... 37899 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~18.04.2_all.deb ...
Unpacking ca-certificates (20210119~18.04.2) over (20210119~18.04.1) ...
Setting up ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Also I tried this, but with no success:

$ sudo apt-get install --reinstall ca-certificates
[sudo] password for dmitriano:
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
Need to get 148 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://mirrors.linode.com/ubuntu xenial-updates/main amd64 ca-certificates all 20210119~16.04.1 [148 kB]
Fetched 148 kB in 0s (9,623 kB/s)
Preconfiguring packages ...
(Reading database ... 44486 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~16.04.1_all.deb ...
Unpacking ca-certificates (20210119~16.04.1) over (20210119~16.04.1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up ca-certificates (20210119~16.04.1) ...
Processing triggers for ca-certificates (20210119~16.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
dmitriano@localhost:~$ ll /usr/local/share/ca-certificates
total 8.0K
drwxr-xr-x 2 root root 4.0K Apr  1  2020 ./
drwxr-xr-x 8 root root 4.0K Apr  1  2020 ../
dmitriano@localhost:~$ sudo mkdir /usr/local/share/ca-certificates/cacert.org
dmitriano@localhost:~$ sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
--2021-12-01 07:42:04--  http://www.cacert.org/certs/root.crt
Resolving www.cacert.org (www.cacert.org)... 2001:7b8:3:9c::245, 213.154.225.245
Connecting to www.cacert.org (www.cacert.org)|2001:7b8:3:9c::245|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2569 (2.5K) [application/x-x509-ca-cert]
Saving to: ‘/usr/local/share/ca-certificates/cacert.org/root.crt’

root.crt                                    100%[=========================================================================================>]   2.51K  --.-KB/s    in 0s

2021-12-01 07:42:04 (244 MB/s) - ‘/usr/local/share/ca-certificates/cacert.org/root.crt’ saved [2569/2569]

--2021-12-01 07:42:04--  http://www.cacert.org/certs/class3.crt
Reusing existing connection to [www.cacert.org]:80.
HTTP request sent, awaiting response... 200 OK
Length: 2610 (2.5K) [application/x-x509-ca-cert]
Saving to: ‘/usr/local/share/ca-certificates/cacert.org/class3.crt’

class3.crt                                  100%[=========================================================================================>]   2.55K  --.-KB/s    in 0s

2021-12-01 07:42:05 (418 MB/s) - ‘/usr/local/share/ca-certificates/cacert.org/class3.crt’ saved [2610/2610]

FINISHED --2021-12-01 07:42:05--
Total wall clock time: 0.7s
Downloaded: 2 files, 5.1K in 0s (309 MB/s)
dmitriano@localhost:~$ ll /usr/local/share/ca-certificates
total 12K
drwxr-xr-x 3 root root 4.0K Dec  1 07:41 ./
drwxr-xr-x 8 root root 4.0K Apr  1  2020 ../
drwxr-xr-x 2 root root 4.0K Dec  1 07:42 cacert.org/
dmitriano@localhost:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:class3.pem
Adding debian:root.pem
done.
done.

Found this on some other page:

Attached to the token:

sudo ua enable esm-infra
sudo apt update
sudo apt dist-upgrade
Processing triggers for libc-bin (2.23-0ubuntu11.3) ...
Processing triggers for ca-certificates (20210119~16.04.1ubuntu0.1~esm1) ...
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.

And finally it started to work:

GIT_CURL_VERBOSE=1 git clone https://git.developernote.com/examples.git
Cloning into 'examples'...
* Couldn't find host git.developernote.com in the .netrc file; using defaults
*   Trying 139.162.243.103...
* TCP_NODELAY set
* Connected to git.developernote.com (139.162.243.103) port 443 (#0)
* found 128 certificates in /etc/ssl/certs/ca-certificates.crt
* found 384 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: developernote.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=developernote.com
*        start date: Fri, 12 Nov 2021 15:29:03 GMT
*        expire date: Thu, 10 Feb 2022 15:29:02 GMT
*        issuer: C=US,O=Let's Encrypt,CN=R3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET /examples.git/info/refs?service=git-upload-pack HTTP/1.1
Host: git.developernote.com
User-Agent: git/2.17.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: C, *;q=0.9
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Server: nginx/1.10.3 (Ubuntu)
< Date: Wed, 01 Dec 2021 08:22:27 GMT
< Content-Type: text/html
< Content-Length: 204
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Git requires authorization"
<
* Connection #0 to host git.developernote.com left intact
Username for 'https://git.developernote.com': dmitriano
Password for 'https://dmitriano@git.developernote.com':
* Couldn't find host git.developernote.com in the .netrc file; using defaults
* Connection 0 seems to be dead!
* Closing connection 0
*   Trying 139.162.243.103...
* TCP_NODELAY set
* Connected to git.developernote.com (139.162.243.103) port 443 (#1)
* found 128 certificates in /etc/ssl/certs/ca-certificates.crt
* found 384 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: developernote.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=developernote.com
*        start date: Fri, 12 Nov 2021 15:29:03 GMT
*        expire date: Thu, 10 Feb 2022 15:29:02 GMT
*        issuer: C=US,O=Let's Encrypt,CN=R3
*        compression: NULL
* ALPN, server accepted to use http/1.1
* Server auth using Basic with user 'dmitriano'
> GET /examples.git/info/refs?service=git-upload-pack HTTP/1.1
Host: git.developernote.com
Authorization: Basic ******************
User-Agent: git/2.17.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: C, *;q=0.9
Pragma: no-cache

< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Wed, 01 Dec 2021 08:24:15 GMT
< Content-Type: application/x-git-upload-pack-advertisement
< Transfer-Encoding: chunked
< Connection: keep-alive
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
<
* Connection #1 to host git.developernote.com left intact
* Couldn't find host git.developernote.com in the .netrc file; using defaults
* Found bundle for host git.developernote.com: 0x7fffee650890 [can pipeline]
* Re-using existing connection! (#1) with host git.developernote.com
* Connected to git.developernote.com (139.162.243.103) port 443 (#1)
* Server auth using Basic with user 'dmitriano'
> POST /examples.git/git-upload-pack HTTP/1.1
Host: git.developernote.com
Authorization: Basic *****************
User-Agent: git/2.17.1
Accept-Encoding: gzip
Content-Type: application/x-git-upload-pack-request
Accept: application/x-git-upload-pack-result
Content-Encoding: gzip
Content-Length: 1047

* upload completely sent off: 1047 out of 1047 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Wed, 01 Dec 2021 08:24:18 GMT
< Content-Type: application/x-git-upload-pack-result
< Transfer-Encoding: chunked
< Connection: keep-alive
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
<
remote: Counting objects: 19068, done.
remote: Compressing objects: 100% (6510/6510), done.
* remote: Total 19068 (delta 13107), reused 15223 (delta 10304)
Connection #1 to host git.developernote.com left intact
Receiving objects: 100% (19068/19068), 35.98 MiB | 5.17 MiB/s, done.
Resolving deltas: 100% (13107/13107), done.

and I did:

git config --list | grep -i veri
git config http.sslVerify true

But the local certificate that GitBash uses on my Windows 10 machine also expired:

GIT_CURL_VERBOSE=1 git push origin master
* Couldn't find host git.developernote.com in the _netrc file; using defaults
*   Trying 139.162.243.103...
* TCP_NODELAY set
* Connected to git.developernote.com (139.162.243.103) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0
fatal: unable to access 'https://git.developernote.com/examples.git/': SSL certificate problem: certificate has expired

Copied C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs, run GitBash as Administrator and set the certificate path:

git config --system http.sslCAPath /e/temp/cert/ca-bundle.crt

But it did not help:

GIT_CURL_VERBOSE=1 git push origin master
$ GIT_CURL_VERBOSE=1 git push origin master
* Couldn't find host git.developernote.com in the _netrc file; using defaults
*   Trying 139.162.243.103...
* TCP_NODELAY set
* Connected to git.developernote.com (139.162.243.103) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: E:/temp/cert/ca-bundle.crt
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0
fatal: unable to access 'https://git.developernote.com/examples.git/': SSL certificate problem: certificate has expired

Also tried to copy the certificates from Ubuntu 18.04 /etc/ssl/certs/ca-certificates.crt, but with the same result.

So I unset the option:

git config --system --unset http.sslCAPath

Links:

Leave a Reply

Your email address will not be published. Required fields are marked *