Closed calioto closed 5 years ago
Could you try again after setting the environment variables GIT_TRACE=1
and GIT_TRACE_CURL=1
?
Here's the output from that:
13:51:31.554961 git.c:328 trace: built-in: git 'clone' 'https://github.com/planetoftheweb/learnangular5.git' 'learnangular5'
Cloning into 'learnangular5'...
13:51:31.926961 run-command.c:626 trace: run_command: 'remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
13:51:32.072961 git.c:560 trace: exec: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
13:51:32.090961 run-command.c:626 trace: run_command: 'git-remote-https' 'origin' 'https://github.com/planetoftheweb/learnangular5.git'
13:51:32.346961 http.c:662 == Info: Couldn't find host github.com in the _netrc file; using defaults
13:51:32.347961 http.c:662 == Info: timeout on name lookup is not supported
13:51:32.360961 http.c:662 == Info: Trying 171.148.165.61...
13:51:32.360961 http.c:662 == Info: TCP_NODELAY set
13:51:32.388961 http.c:662 == Info: Connected to webproxy.bankofamerica.com (171.148.165.61) port 8080 (#0)
13:51:32.388961 http.c:662 == Info: allocate connect buffer!
13:51:32.388961 http.c:662 == Info: Establish HTTP proxy tunnel to github.com:443
13:51:32.388961 http.c:609 => Send header, 0000000121 bytes (0x00000079)
13:51:32.388961 http.c:621 => Send header: CONNECT github.com:443 HTTP/1.1
13:51:32.388961 http.c:621 => Send header: Host: github.com:443
13:51:32.388961 http.c:621 => Send header: User-Agent: git/2.14.1.windows.1
13:51:32.388961 http.c:621 => Send header: Proxy-Connection: Keep-Alive
13:51:32.388961 http.c:621 => Send header:
13:51:32.415961 http.c:609 <= Recv header, 0000000037 bytes (0x00000025)
13:51:32.415961 http.c:621 <= Recv header: HTTP/1.1 200 Connection established
13:51:32.415961 http.c:609 <= Recv header, 0000000002 bytes (0x00000002)
13:51:32.416961 http.c:621 <= Recv header:
13:51:32.416961 http.c:662 == Info: Proxy replied OK to CONNECT request
13:51:32.416961 http.c:662 == Info: CONNECT phase completed!
13:51:32.681961 http.c:662 == Info: ALPN, offering http/1.1
13:51:32.681961 http.c:662 == Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
13:51:32.691961 http.c:662 == Info: successfully set certificate verify locations:
13:51:32.691961 http.c:662 == Info: CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
CApath: none
13:51:32.691961 http.c:662 == Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
13:51:32.691961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005)
13:51:32.691961 http.c:650 => Send SSL data: .....
13:51:32.691961 http.c:662 == Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
13:51:32.691961 http.c:635 => Send SSL data, 0000000512 bytes (0x00000200)
13:51:32.691961 http.c:650 => Send SSL data: ......e.....].C}k....'.... .N.....C......0.,.(.$...........
13:51:32.691961 http.c:650 => Send SSL data: ..k.j.i.h.9.8.7.6.........2....&.......=.5.../.+.'.#.......
13:51:32.692961 http.c:650 => Send SSL data: ......g.@.?.>.3.2.1.0.........E.D.C.B.1.-.).%.......<./...A.
13:51:32.692961 http.c:650 => Send SSL data: ........................3.........github.com................
13:51:32.692961 http.c:650 => Send SSL data: ........................... ................................
13:51:32.692961 http.c:650 => Send SSL data: .....3t.........http/1.1....................................
13:51:32.692961 http.c:650 => Send SSL data: ............................................................
13:51:32.692961 http.c:650 => Send SSL data: ............................................................
13:51:32.692961 http.c:650 => Send SSL data: ................................
13:51:32.692961 http.c:662 == Info: CONNECT phase completed!
13:51:32.692961 http.c:662 == Info: CONNECT phase completed!
13:51:32.720961 http.c:635 <= Recv SSL data, 0000000005 bytes (0x00000005)
13:51:32.721961 http.c:650 <= Recv SSL data: ....b
13:51:32.721961 http.c:662 == Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
13:51:32.721961 http.c:635 <= Recv SSL data, 0000000098 bytes (0x00000062)
13:51:32.721961 http.c:650 <= Recv SSL data: ...^..Z..0]....y>....Aj....E.Z......x lj........j..d.y(s.8
13:51:32.721961 http.c:650 <= Recv SSL data: .@ip|GC...Z.0.........................
13:51:32.721961 http.c:635 <= Recv SSL data, 0000000005 bytes (0x00000005)
13:51:32.721961 http.c:650 <= Recv SSL data: .....
13:51:32.722961 http.c:662 == Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
13:51:32.722961 http.c:635 <= Recv SSL data, 0000001267 bytes (0x000004f3)
13:51:32.722961 http.c:650 <= Recv SSL data: ..........0...0..................@....R.'0....H........0..1
13:51:32.722961 http.c:650 <= Recv SSL data: "0 ..U....amrs-G2.bankofamerica.com1.0...U....US1.0...U....N
13:51:32.722961 http.c:650 <= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We
13:51:32.722961 http.c:650 <= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0..
13:51:32.722961 http.c:650 <= Recv SSL data: 1.0...U....Private Organization1.0...+.....7<.....US1.0...+.
13:51:32.722961 http.c:650 <= Recv SSL data: ....7<.....Delaware1.0...U....51575501$0"..U....88 Colin P K
13:51:32.722961 http.c:650 <= Recv SSL data: elly, Jr Street1.0...U....941071.0...U....US1.0...U....Calif
13:51:32.722961 http.c:650 <= Recv SSL data: ornia1.0...U....San Francisco1.0...U....GitHub, Inc.1.0...U.
13:51:32.722961 http.c:650 <= Recv SSL data: ...github.com0.."0....H.............0.........vH|.⌂........
13:51:32.723961 http.c:650 <= Recv SSL data: ......Vb.....e...q..;5..%N....MZ.$\F]...cp.} .H-.|.mP.[cY..
13:51:32.723961 http.c:650 <= Recv SSL data: .,...E..X.J(g...I,.A.....R+..8lV6.q6.OY........Y&F"Y-.s..x} 13:51:32.723961 http.c:650 <= Recv SSL data: -..B....bk.X....e.(92+R.Ru...........G\S...h.j
7V.}T.⌂....{.
13:51:32.728961 http.c:650 <= Recv SSL data: ....b...4.g6.......@.YRc..D1...P.R1..1....nJ?y..u.G.q..3]."o
13:51:32.728961 http.c:650 <= Recv SSL data: ..........0..0f..`.H...B...Y.W/C=US/O=DigiCert Inc/OU=www.di
13:51:32.729961 http.c:650 <= Recv SSL data: gicert.com/CN=DigiCert SHA2 Extended Validation Server CA0..
13:51:32.729961 http.c:650 <= Recv SSL data: .U....0.0...U......E.}....83....UBvU .0...U........0%..U...
13:51:32.729961 http.c:650 <= Recv SSL data: .0...github.com..www.github.com0....H...............J.$dJ..
13:51:32.729961 http.c:650 <= Recv SSL data: .-m.(Y....@ ...dL....bG.1.......Nt... .2......pCe...eS....x
13:51:32.729961 http.c:650 <= Recv SSL data: .Y...Sldv.;n..........{.4...<...D.....Fb..t.)j.{17)...@.?<..
13:51:32.729961 http.c:650 <= Recv SSL data: F..m .......E....j......T.[..MX..Vn....s...*.....M..Q.W.H...
13:51:32.729961 http.c:650 <= Recv SSL data: @YKa.6..J~..?w.g......:..e..7x....>........;..D....;q%...r..
13:51:32.729961 http.c:650 <= Recv SSL data: C....[.
13:51:32.729961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005)
13:51:32.729961 http.c:650 => Send SSL data: .....
13:51:32.730961 http.c:662 == Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
13:51:32.730961 http.c:635 => Send SSL data, 0000000002 bytes (0x00000002)
13:51:32.730961 http.c:650 => Send SSL data: .0
13:51:32.730961 http.c:662 == Info: SSL certificate problem: unable to get local issuer certificate
13:51:32.730961 http.c:662 == Info: stopped the pause stream!
13:51:32.730961 http.c:662 == Info: Closing connection 0
13:51:32.730961 http.c:635 => Send SSL data, 0000000005 bytes (0x00000005)
13:51:32.730961 http.c:650 => Send SSL data: .....
13:51:32.730961 http.c:662 == Info: TLSv1.2 (OUT), TLS alert, Client hello (1):
13:51:32.730961 http.c:635 => Send SSL data, 0000000002 bytes (0x00000002)
13:51:32.730961 http.c:650 => Send SSL data: ..
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': SSL certificate problem: unable to get local issuer certificate
@dscho Any update on this?
@calioto not really. I do not understand enough about the details of OpenSSL to make sense of this log.
But I do have a suspicion that this tells us what might be wrong:
13:51:32.722961 http.c:650 <= Recv SSL data: C1.0...U....Charlotte1.0...U....Bank of America1$0"..U....We 13:51:32.722961 http.c:650 <= Recv SSL data: b Malware Inspection AMRS0...160310000000Z..180517120000Z0..
As I cannot find any public information on the web, I can only offer the conjecture that this proxy rewrites SSL certificates, and expects the host machine to have a special extra "root certificate" installed so that those rewritten SSL certificates are accepted.
You could possibly validate this suspicion by running
git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5
If this works, then that would confirm my suspicion (and also that your system administrator(s) installed said root certificate).
If this conjecture is correct, the easiest way forward would be to choose Secure Channel as HTTPS transport in the Git for Windows installer.
If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it (and possibly convert it into a suitable format using the openssl.exe
of Git for Windows). Another, possibly easier way, would be to direct your web browser to https://github.com
and then inspect the certificate chain, again extracting the root certificate from there.
Please do let us know of any developments on your side.
@dscho I ran the the above you mentioned
git -c http.sslbackend=schannel clone https://github.com/planetoftheweb/learnangular5.git learnangular5
and got back the following
Cloning into 'learnangular5'...
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Do you have any other suggestions?
fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Of course! The Secure Channel code in cURL still has problems with accessing revocation information (I think because it tries to use the proxy when it should not...)
Do you have any other suggestions?
Yes, of course! I mentioned them in the latter part of https://github.com/git-for-windows/git/issues/1574#issuecomment-377528758: try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
, and add it to that file.
Do you have any other suggestions?
Yes, of course! I mentioned them in the latter part of #1574 (comment): try to extract the root certificate in a form that looks like the existing entries in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt, and add it to that file.
Did that help?
Thanks, that worked for me :) --In my case I think corporate proxy is rewriting certificates as you suggest.
If you would prefer OpenSSL for some reason, you would have to extract said root certificate somehow, get it into a plain text form, and then append it to your Git's C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt. One way would be to go to "Manager computer certificates", try to figure out which one is the root certificate, and then export it
Well, I'll just assume that my suggestion helped. As for the revoke check, we now have http.schannel.CheckRevoke
that can be set to false
to work around that issue.
Setup
I am behind a proxy. Here's the output of my git config -l --show-origin command: file:"C:\ProgramData/Git/config" core.symlinks=false file:"C:\ProgramData/Git/config" core.autocrlf=true file:"C:\ProgramData/Git/config" core.fscache=true file:"C:\ProgramData/Git/config" color.diff=auto file:"C:\ProgramData/Git/config" color.status=auto file:"C:\ProgramData/Git/config" color.branch=auto file:"C:\ProgramData/Git/config" color.interactive=true file:"C:\ProgramData/Git/config" help.format=html file:"C:\ProgramData/Git/config" rebase.autosquash=true file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt file:"C:\Program Files\Git\mingw64/etc/gitconfig" http.sslbackend=openssl file:"C:\Program Files\Git\mingw64/etc/gitconfig" diff.astextplain.textconv=astextplain file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.clean=git-lfs clean -- %f file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.smudge=git-lfs smudge -- %f file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.required=true file:"C:\Program Files\Git\mingw64/etc/gitconfig" filter.lfs.process=git-lfs filter-process file:"C:\Program Files\Git\mingw64/etc/gitconfig" credential.helper=manager file:H://.gitconfig https.proxy=http://webproxy.bankofamerica.com:8080 file:H://.gitconfig http.proxy=http://webproxy.bankofamerica.com:8080
Details
Git Bash and Cmd
The repo being cloned.
Cloning into 'learnangular5'... fatal: unable to access 'https://github.com/planetoftheweb/learnangular5.git/': SSL certificate problem: unable to get local issuer certificate
https://github.com/planetoftheweb/learnangular5.git