git unable to find certificate in keychain after updating to macOS Sierra

Question

After upgrading to macOS 10.12 Sierra I'm unable to sync with my encrypted SSL git server. The certificate still works fine while accessing the server through Safari.

I get this message when trying to push to the server:

fatal: unable to access 'https://....': SSL: Can't find the certificate "...." and its private key in the Keychain.

The certificate is there in the keychain, and the name is correct (it worked before the update), but somehow I can't access it.

My ~/.gitconfig file still consists of this:

[http "https://...."]
    sslCert = ....
[credential]
    helper = osxkeychain

Have anyone else bumped into this problem so far?

Answer 1

It looks like the git-credential-osxkeychain helper application is broken on macOS sierra and will not retrieve any more a user certificate that is returned with security find-identities

The only workaround I found is to

• export the certificate and key from keychain to my_certificate.p12

• edit .git/config for the affected account to use

   [http] sslCert = /Users/foo/certificates/my_certificate.p12 sslcertpasswordprotected = true 

Note: You'll need a password on the P12 and have to enter the password for the p12 every time you do a git command.

PS: RADAR://28461462

Answer 2

If you want to use a crt and keyfile

[http]
    sslVerify = false
    sslCert = my.crt
    sslKey = my.key

you need to install curl and git with openssl support

brew install openssl
brew install curl --with-openssl
brew install git --with-brewed-openssl --with-brewed-curl

That's worked for me as expected

Answer 3

简单的ssh-add帮助了我;）

ssh-add ~/.ssh/id_rsa

Answer 4

First you have to uninstall

brew uninstall openssl
brew uninstall curl
brew uninstall git 

after installing as @trollr mentioned

brew install openssl
brew install curl --with-openssl
brew install git --with-brewed-openssl --with-brewed-curl

, you also have to ensure that the right git version (there are MAAAAAANY available, see

find / -name git

)

Homebrew tells you where it puts the new brewed git version, for example

/usr/local/Cellar/git/2.10.2/bin/git

check your version with which git

or just call the absolute path to ensure using the right version, like

/usr/local/Cellar/git/2.10.2/bin/git clone .......

Answer 5

This is what worked for me

git -c http.sslCert=/Users/user/Documents/gittest/cert.p12 -c http.sslcertpasswordprotected=true clone https://gitlab.domain.com/user/repository.git

you can add more verbose debuggin by adding

GIT_CURL_VERBOSE=1 GIT_TRACE=2 GIT_TRACE_PACKET=2 

in front of the command.

The certificates are in the keychain and are marked trusted. Also the CA certificate is present.

Answer 6

The same issue with "Can't find the certificate.." error message has been solved for me after changing the certificate name to a string containing no other characters than Latin letters. Ie renaming "my_cert.p12" to "mysert.p12" has really helped to get rid of this error.