Git clone from gitlab fails on linux, while working in Windows git bash

Question

I'm new to Linux, just installed Lubuntu and faced the problem - when i'm trying to clone my remote work repo from my company's git:

$ sudo git clone https://path/to/repo.git

I keep on receiving error:

Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none

I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.

Answer 1

This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.

Update list of public CA

The first thing I would recommend is to simply update the list of root CA known to the system as show below.

# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates

This may help if you are dealing with a system that has not been updated for a long time, but of course won't resolve an issue with private certs.

Fetch certificates, direct connection

The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:

openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > git-mycompany-com.pem

This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.

Fetch certificates, web proxy

If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.

# install socat
sudo apt-get install socat -y

# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128

Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.

openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem

Add certificate to local certificate list

Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate. The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users' git configuration.

** Adding globally **

cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt

** Adding for single user **

git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem

Which silently adds the following lines to ~/.gitconfig

[http "https://git.mycompany.com/"]
        sslCAInfo = /home/user/git-mycompany-com.pem

Avoid workarounds

Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.

git config --global http.sslverify false

export GIT_SSL_NO_VERIFY=true

Answer 2

I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:

#!/usr/bin/bash

# I exported the Zscaler certifcate out of Microsoft Cert Manager.  It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.

# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt

# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates

# Inform Ubuntu of new cert.
sudo update-ca-certificates