Banging my head against Git, Visual Studio 15 and SSL

Recently the hard drive in my trusty old laptop failed. Annoying, but ultimately it was just an excuse to go shopping, ignore most of my backup of the old machine and re-install all my programs from scratch. As part of that I decided that I’d try experimenting with the latest pre-release version of Visual Studio 15, to see if it was stable enough for me to use for my personal projects and blog coding now.

So having worked out how you re-install a “free upgrade from Win7” copy of Windows 10 and gone through through Visual Studio’s new installer, I tried to clone some code from my private git server. Having been greeted with some cryptic errors, I’ve spent some time working out how to resolve the issue. So as ever, I’m writing it all down in case it’s of help to others…

The unexpected error

The clone failed, with this classy bit of UI:

Git Failed

No problem, I thought, just look at the output window and… Oh…

Output Window

Another spectacularly unhelpful error message. Thanks Microsoft.

Trying to clone a repository from GitHub worked fine, so it was clearly not a problem with connectivity or basic Git functionality. So having looked in the Event Logs (finding nothing) and tried to see if there was some sort of private log file being stored by Visual Studio without success, I wondered if I might get some help from the stand-alone Windows Git UI. It was a bit more helpful:

Git UI Failed

The full error on the screen there was:

fatal: unable to access 'https://SomeDomain/SomeRepo.git/': SSL certificate problem: unable to get local issuer certificate

Finally, a clue!

My private Git server is a copy of Bonobo running on a small machine that sits with my broadband kit. That box hosts a series of publicly accessible domains and they all have SSL certificates generated by a certification authority which runs on that server. (I set this up before Let’s Encrypt existed, and I’ve not managed to work out how to migrate yet – a job for another day) Since I’ve never paid for a certificate, none of these are trusted by Windows by default…

I had already imported the root certificate from my server into the “Trusted Certificates” store on my rebuilt laptop, and I knew this was working OK because I browse to my Bonobo site and Chrome said it trusted the certificate being used for HTTPS:

Certificate OK

Cue some head-scratching, since with my previous laptop install (and my work laptop – all using Visual Studio 2015) trusting that certificate was all I had needed to do to work with my Bonobo server in Visual Studio.

An explanation

So off to Google I went. Turns out the error message is something that’s been debated a bit on Stack Overflow. The common refrain of “just tell Git to skip validating SSL certificates” didn’t seem like a good idea to me – but there are some answers pointing out that Git doesn’t use the normal Windows trust chain. That seemed to explain why the standard Git tools were unhappy – and perhaps suggests that VS15 has changed how it handles the HTTPS requests for Git operations.

So the answer seemed to be that I needed to manually add my root certificate’s public key to Git’s “trusted certficates” file.

Sounds easy, huh?

Alas, looking through the \Program Files\Git\ folder, I came across a collection of folders containing a ca-bundle.crt file that was referred to in the various posts about fixing this issue. So which one should I edit?

I tossed a coin, and initially I tried the one under \Program Files\Git\usr\ssl\certs. That had no effect when I tried the Git for Windows app again. Though it did remind me that being an app that originates on Unix, Git would rather you didn’t edit its config files with Notepad as that tends to break the Unix-style line endings in the files… πŸ˜‰

Having reverted the config that I’d changed, I had an idea: Git’s command line tools can show you config settings, and the Stack Overflow post above suggested that the config setting for “where is my trusted certificates file” was named “http.sslcainfo“. So opening a command prompt and running “git config --list” told me that the setting was:

http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

So, firing up TextPad, I opened the base64 .cer file for my root certificate, and pasted it into the end of this file.

Success! Git for Windows was now able to clone a repository from Bonobo without error.

But still fail! Visual Studio still gave it’s cryptic error…

Turns out it’s not quite that easy…

After another half-hour of messing about in Google it dawned on me that Git can have multiple configuration files. Perhaps Visual Studio was looking at something different to the Git command line tools?

Google pointed me at the .gitconfig file that lives at the root of your user directory. When I looked at that it contained not much at all – just a reference to the recently cloned repository I had tested with above. So I added the setting necessary to tell Git to find it’s trusted certificates in the same place that the command line tools had reported:

	sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

And remarkably that fixed Visual Studio…

Whether this whole issue will make it into the release version of Visual Studio or not, I don’t know. But at least I’ve worked out how I can make my private git server work for now.


11 thoughts on “Banging my head against Git, Visual Studio 15 and SSL

  1. Pingback: Putting your Windows user data on a different drive | Jeremy Davis
  2. Thanks, this really helped me out.

    The location for the certificate bundle in VS 2017 RC is “C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\Extensions\fjxnup5d.ikp\Git\mingw32\ssl\certs”

    • A “.cer” file is a file containing the public key for the certificate you need git to trust. You can browse to the site in question and save it from your browser. How you do that varies between different browsers, but in Chrome you can open Developer Tools, select “Security” from the Dev Tools tabs and click “View Certificate” to get the details of the current site’s certificate. The “Details” tab of that dialog has a “copy to file” button which will save a .cer file. When prompted, you need to choose to save it as base-64 encoded text.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s