git-for-windows / git

A fork of Git containing Windows-specific patches.
http://gitforwindows.org/
Other
8.37k stars 2.54k forks source link

Cannot Clone a Repo #1574

Closed calioto closed 5 years ago

calioto commented 6 years ago

Setup

$ git --version --build-options

git version 2.14.1.windows.1
built from commit: 82d9b3f3b2407b52251620597d4b14933685459d
sizeof-long: 4
machine: x86_64
$ cmd.exe /c ver

Microsoft Windows [Version 6.1.7601]
# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Path Option: Cmd
SSH Option: OpenSSH
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled

I am behind a proxy. Here's the output of my git config -l --show-origin command: file:"C:\ProgramData/Git/config" core.symlinks=false file:"C:\ProgramData/Git/config" core.autocrlf=true file:"C:\ProgramData/Git/config" core.fscache=true file:"C:\ProgramData/Git/config" color.diff=auto file:"C:\ProgramData/Git/config" color.status=auto file:"C:\ProgramData/Git/config" color.branch=auto file:"C:\ProgramData/Git/config" color.interactive=true file:"C:\ProgramData/Git/config" help.format=html file:"C:\ProgramData/Git/config" rebase.autosquash=true file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslbackend=openssl file:"C:\Program Files\Git\mingw64/etc/gitconfig" diff.astextplain.textconv=astextplain file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.clean=git-lfs clean -- %f file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.smudge=git-lfs smudge -- %f file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.required=true file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.process=git-lfs filter-process file:"C:\Program Files\Git\mingw64/etc/gitconfig" credential.helper=manager file:H://.gitconfig https.proxy=http://webproxy.bankofamerica.com:8080 file:H://.gitconfig http.proxy=http://webproxy.bankofamerica.com:8080

Details

Git Bash and Cmd

git clone https://github.com/planetoftheweb/learnangular5.git learnangular5

The repo being cloned.

Cloning into 'learnangular5'... fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': SSL certificate problem: unable to get local issuer certificate

https://github.com/planetoftheweb/learnangular5.git

dscho commented 6 years ago

Could you try again after setting the environment variables GIT_TRACE=1 and GIT_TRACE_CURL=1?

calioto commented 6 years ago

Here's the output from that: 13:51:31.554961 git.c:328 trace: built-in: git 'clone' 'https://github.com/planetoftheweb/learnangular5.git' 'learnangular5' Cloning into 'learnangular5'... 13:51:31.926961 run-command.c:626 trace: run_command: 'remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git' 13:51:32.072961 git.c:560 trace: exec: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git' 13:51:32.090961 run-command.c:626 trace: run_command: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git' 13:51:32.346961 http.c:662 == Info: Couldn't find host github.com in the _netrc file; using defaults 13:51:32.347961 http.c:662 == Info: timeout on name lookup is not supported 13:51:32.360961 http.c:662 == Info: Trying 171.148.165.61... 13:51:32.360961 http.c:662 == Info: TCP_NODELAY set 13:51:32.388961 http.c:662 == Info: Connected to webproxy.bankofamerica.com (171.148.165.61) port 8080 (#0) 13:51:32.388961 http.c:662 == Info: allocate connect buffer! 13:51:32.388961 http.c:662 == Info: Establish HTTP proxy tunnel to github.com:443 13:51:32.388961 http.c:609 => Send header, 0000000121 bytes (0x00000079) 13:51:32.388961 http.c:621 => Send header: CONNECT github.com:443 HTTP/1.1 13:51:32.388961 http.c:621 => Send header: Host: github.com:443 13:51:32.388961 http.c:621 => Send header: User-Agent: git/2.14.1.windows.1 13:51:32.388961 http.c:621 => Send header: Proxy-Connection: Keep-Alive 13:51:32.388961 http.c:621 => Send header: 13:51:32.415961 http.c:609 <= Recv header, 0000000037 bytes (0x00000025) 13:51:32.415961 http.c:621 <= Recv header: HTTP/1.1 200 Connection established 13:51:32.415961 http.c:609 <= Recv header, 0000000002 bytes (0x00000002) 13:51:32.416961 http.c:621 <= Recv header: 13:51:32.416961 http.c:662 == Info: Proxy replied OK to CONNECT request 13:51:32.416961 http.c:662 == Info: CONNECT phase completed! 13:51:32.681961 http.c:662 == Info: ALPN, offering http/1.1 13:51:32.681961 http.c:662 == Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 13:51:32.691961 http.c:662 == Info: successfully set certificate verify locations: 13:51:32.691961 http.c:662 == Info: CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt CApath: none 13:51:32.691961 http.c:662 == Info: TLSv1.2 (OUT), TLS header, Certificate Status (22): 13:51:32.691961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005) 13:51:32.691961 http.c:650 => Send SSL data: ..... 13:51:32.691961 http.c:662 == Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): 13:51:32.691961 http.c:635 => Send SSL data, 0000000512 bytes (0x00000200) 13:51:32.691961 http.c:650 => Send SSL data: ......e.....].C}k....'.... .N.....C......0.,.(.$........... 13:51:32.691961 http.c:650 => Send SSL data: ..k.j.i.h.9.8.7.6.........2....&.......=.5.../.+.'.#....... 13:51:32.692961 http.c:650 => Send SSL data: ......g.@.?.>.3.2.1.0.........E.D.C.B.1.-.).%.......<./...A. 13:51:32.692961 http.c:650 => Send SSL data: ........................3.........github.com................ 13:51:32.692961 http.c:650 => Send SSL data: ........................... ................................ 13:51:32.692961 http.c:650 => Send SSL data: .....3t.........http/1.1.................................... 13:51:32.692961 http.c:650 => Send SSL data: ............................................................ 13:51:32.692961 http.c:650 => Send SSL data: ............................................................ 13:51:32.692961 http.c:650 => Send SSL data: ................................ 13:51:32.692961 http.c:662 == Info: CONNECT phase completed! 13:51:32.692961 http.c:662 == Info: CONNECT phase completed! 13:51:32.720961 http.c:635 <= Recv SSL data, 0000000005 bytes (0x00000005) 13:51:32.721961 http.c:650 <= Recv SSL data: ....b 13:51:32.721961 http.c:662 == Info: TLSv1.2 (IN), TLS handshake, Server hello (2): 13:51:32.721961 http.c:635 <= Recv SSL data, 0000000098 bytes (0x00000062) 13:51:32.721961 http.c:650 <= Recv SSL data: ...^..Z..0]....y>....Aj....E.Z......x lj........j..d.y(s.8 13:51:32.721961 http.c:650 <= Recv SSL data: .@ip|GC...Z.0......................... 13:51:32.721961 http.c:635 <= Recv SSL data, 0000000005 bytes (0x00000005) 13:51:32.721961 http.c:650 <= Recv SSL data: ..... 13:51:32.722961 http.c:662 == Info: TLSv1.2 (IN), TLS handshake, Certificate (11): 13:51:32.722961 http.c:635 <= Recv SSL data, 0000001267 bytes (0x000004f3) 13:51:32.722961 http.c:650 <= Recv SSL data: ..........0...0..................@....R.'0....H........0..1 13:51:32.722961 http.c:650 <= Recv SSL data: "0 ..U....amrs-G2.bankofamerica.com1.0...U....US1.0...U....N 13:51:32.722961 http.c:650 <= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We 13:51:32.722961 http.c:650 <= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0.. 13:51:32.722961 http.c:650 <= Recv SSL data: 1.0...U....Private Organization1.0...+.....7<.....US1.0...+. 13:51:32.722961 http.c:650 <= Recv SSL data: ....7<.....Delaware1.0...U....51575501$0"..U....88 Colin P K 13:51:32.722961 http.c:650 <= Recv SSL data: elly, Jr Street1.0...U....941071.0...U....US1.0...U....Calif 13:51:32.722961 http.c:650 <= Recv SSL data: ornia1.0...U....San Francisco1.0...U....GitHub, Inc.1.0...U. 13:51:32.722961 http.c:650 <= Recv SSL data: ...github.com0.."0....H.............0.........vH|.⌂........ 13:51:32.723961 http.c:650 <= Recv SSL data: ......Vb.....e...q..;5..%N....MZ.$\F]...cp.} .H-.|.mP.[cY.. 13:51:32.723961 http.c:650 <= Recv SSL data: .,...E..X.J(g...I,.A.....R+..8lV6.q6.OY........Y&F"Y-.s..x} 13:51:32.723961 http.c:650 <= Recv SSL data: -..B....bk.X....e.(92+R.Ru...........G\S...h.j7V.}T.⌂....{. 13:51:32.728961 http.c:650 <= Recv SSL data: ....b...4.g6.......@.YRc..D1...P.R1..1....nJ?y..u.G.q..3]."o 13:51:32.728961 http.c:650 <= Recv SSL data: ..........0..0f..`.H...B...Y.W/C=US/O=DigiCert Inc/OU=www.di 13:51:32.729961 http.c:650 <= Recv SSL data: gicert.com/CN=DigiCert SHA2 Extended Validation Server CA0.. 13:51:32.729961 http.c:650 <= Recv SSL data: .U....0.0...U......E.}....83....UBvU .0...U........0%..U... 13:51:32.729961 http.c:650 <= Recv SSL data: .0...github.com..www.github.com0....H...............J.$dJ.. 13:51:32.729961 http.c:650 <= Recv SSL data: .-m.(Y....@ ...dL....bG.1.......Nt... .2......pCe...eS....x 13:51:32.729961 http.c:650 <= Recv SSL data: .Y...Sldv.;n..........{.4...<...D.....Fb..t.)j.{17)...@.?<.. 13:51:32.729961 http.c:650 <= Recv SSL data: F..m .......E....j......T.[..MX..Vn....s...*.....M..Q.W.H... 13:51:32.729961 http.c:650 <= Recv SSL data: @YKa.6..J~..?w.g......:..e..7x....>........;..D....;q%...r.. 13:51:32.729961 http.c:650 <= Recv SSL data: C....[. 13:51:32.729961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005) 13:51:32.729961 http.c:650 => Send SSL data: ..... 13:51:32.730961 http.c:662 == Info: TLSv1.2 (OUT), TLS alert, Server hello (2): 13:51:32.730961 http.c:635 => Send SSL data, 0000000002 bytes (0x00000002) 13:51:32.730961 http.c:650 => Send SSL data: .0 13:51:32.730961 http.c:662 == Info: SSL certificate problem: unable to get local issuer certificate 13:51:32.730961 http.c:662 == Info: stopped the pause stream! 13:51:32.730961 http.c:662 == Info: Closing connection 0 13:51:32.730961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005) 13:51:32.730961 http.c:650 => Send SSL data: ..... 13:51:32.730961 http.c:662 == Info: TLSv1.2 (OUT), TLS alert, Client hello (1): 13:51:32.730961 http.c:635 => Send SSL data, 0000000002 bytes (0x00000002) 13:51:32.730961 http.c:650 => Send SSL data: .. fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': SSL certificate problem: unable to get local issuer certificate

calioto commented 6 years ago

@dscho Any update on this?

dscho commented 6 years ago

@calioto not really. I do not understand enough about the details of OpenSSL to make sense of this log.

But I do have a suspicion that this tells us what might be wrong:

13:51:32.722961 http.c:650 <= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We
13:51:32.722961 http.c:650 <= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0..

As I cannot find any public information on the web, I can only offer the conjecture that this proxy rewrites SSL certificates, and expects the host machine to have a special extra "root certificate" installed so that those rewritten SSL certificates are accepted.

You could possibly validate this suspicion by running

git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5

If this works, then that would confirm my suspicion (and also that your system administrator(s) installed said root certificate).

If this conjecture is correct, the easiest way forward would be to choose Secure Channel as HTTPS transport in the Git for Windows installer.

If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it (and possibly convert it into a suitable format using the openssl.exe of Git for Windows). Another, possibly easier way, would be to direct your web browser to https://github.com and then inspect the certificate chain, again extracting the root certificate from there.

Please do let us know of any developments on your side.

calioto commented 6 years ago

@dscho I ran the the above you mentioned

git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5

and got back the following

Cloning into 'learnangular5'...
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Do you have any other suggestions?

dscho commented 6 years ago

fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Of course! The Secure Channel code in cURL still has problems with accessing revocation information (I think because it tries to use the proxy when it should not...)

Do you have any other suggestions?

Yes, of course! I mentioned them in the latter part of https://github.com/git-for-windows/git/issues/1574#issuecomment-377528758: try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt, and add it to that file.

dscho commented 6 years ago

Do you have any other suggestions?

Yes, of course! I mentioned them in the latter part of #1574 (comment): try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt, and add it to that file.

Did that help?

gerardbosch commented 6 years ago

Thanks, that worked for me :) --In my case I think corporate proxy is rewriting certificates as you suggest.

If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it

dscho commented 5 years ago

Well, I'll just assume that my suggestion helped. As for the revoke check, we now have http.schannel.CheckRevoke that can be set to false to work around that issue.