SourceTree, Stash and Windows: Unable to get local issuer certificate

We have Stash installed on a windows 2k8 r2 server, and for the most part everything is working nicely. We have a SSL certificate issued by our local on-premise Windows CA and a DNS entry set up so we can go to https://stash/ and it works quite nicely except in Firefox where it throws a warning (related?).

When using SourceTree we can paste the url in directly or navigate and choose a repository through the Globe icon button, but when we try to clone we get the following error:

fatal: unable to access https://user@url/scm/etc/etc.git: SSL certificate problem: unable to get local issuer certificate

I get the same error if I try if from the git bash as well. Based on this error, I've tried following various instructions on adding the SSL certificate to Git (also found on the website), including what is in the comments, to no avail. I have exported the cert through Firefox and through the mmc certificate snapin, gotten the same results and put it in it's own file, or combined with the curl file, and no matter what keep getting this error.

I also tried using ssh myserver and accepting the connection, and I entered my password and restarted, still the same error.

I do not want to simply ignore certificate validation either, since that seems a bit pointless, then. I have noticed, however, that I can simply try it over http (remove the trailing s) and surprisingly it works. I may end up just working that way - it seems pointless to have https if you can just bypass it.

I have tried various other solutions found on SO, but have made zero headway. How can I get this working with our CA-issued cert? Alternately, what do I need to do to get the SSH working?

Edit: I was speaking with a peer who mentioned that my cert may be missing the 'intermediate certificates', perhaps related to the issue I get with Firefox. I'm not sure what that means (I'm not great with certs), but I'm looking in to that.

Edit 2: I got the SSH working, I was an idiot and forgot the ports. So if nothing else I can work with that for now. I hadn't spent much time on it though, since it isn't really my focus at the moment.

Edit 3: I noticed that I'm not yet authenticating to Active Directory via SSL (using Delegated LDAP Authentication). I'm still waiting on my Networking guys to get something working there - would this perhaps affect it?

3 answers

1 accepted

2 votes
Answer accepted

After working with a peer who had been out until today, the revelation is that I had been using ONLY the certificate for the server itself. My [faulty] understanding of all the articles was that, similar to handling self-signed certs, you just tell Git to trust this cert. This is not the case for us.

Instead, it is the Root CA Cert from our domain that I should have been exporting and telling Git to trust. I swear I tried that early last week when this all first started, but to my shame I must not have.

Let this be a warning for anyone else who find themselves in my position!

+1 for doing independent research.

Thanks - being in IT support really makes you appreciate people who do research and provide as much info as they can (within reason!).

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 14, 2019 in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

296 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you