Adding additional SSL certificate to be recognized in Cygwin

cygwin ssl windows-server-2008-r2 certificate windows-server

10,249

Since your git-command is using Curl internally, try curl --verbose https://the-repo-URL to see what happens.

Expected result is the same error you reported: "SSL certificate problem: unable to get local issuer certificate". Also in the verbose output there should be something like: * successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The error and above output translates as: The X.509 certificate your repository is using is either self-signed and not trusted by Curl or is issued by a Certificate Authority not trusted by Curl. The places we looked for a trust-anchor included /etc/pki/tls/certs/ca-bundle.crt, but we failed to find anything applicable.

To fix this:

(this is the tricky part) Get the self-signed certificate, or the issuing CA root certificate
Store the X.509 certificate in PEM-format to directory /etc/pki/ca-trust/source/anchors
Run command update-ca-trust. Do this with Administrator-permissions. Also note, that this command doesn't output anything.
Done! Test.

Update

The above stands valid, but there is an easier way to do exactly the above. Run this single command:

trust anchor --store [the certificate PEM-file]

Done! Test.

10,249

Jake

Updated on September 18, 2022

Comments

Jake over 1 year

I have a server setup that has an HTTPS certificate issued by a major certificate provider (DigiCert). The certificate is recognized by all of the browsers on a machine running Windows Server 2008 R2, including Internet Explorer, Chrome, and Firefox.

However, the certificate is not recognized within Cygwin. For example, I get this error when I try to clone a git URL from this server:

error: SSL certificate problem: unable to get local issuer certificate while accessing [URL] fatal: HTTP request failed

Other tools within Cygwin I have tried give the same error, such as curl:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Digicert has the exact certificate I need. My ideal solutions would be to either update the bundle of certificates that Cygwin uses or to manually install the needed certificate. It seems like Cygwin has a separate certificate store from Windows. How can I do this?

Note: I do not want to simply ignore the error, as many users use this machine and will need to access the same server, so it would not make sense to ignore each time.
- user1686 about 8 years
  
  But does the server send the certificate chain? Many sites forget to enable that, because web browsers cache previously seen intermediate certs and paper over the problem.
- Jake about 8 years
  
  The server is one I have configured running Gitlab Community Edition, which uses ngnix. I can try looking into that.
- user1686 about 8 years
  
  Please do. gnutls-cli <server> -p 443 or ssl-tools.net/webservers are good ways to check from the outside. If you have Cygwin's ca-certificates package installed, then I'm sure it uses the Mozilla bundle which certainly has DigiCert.
- Jake over 7 years
  
  @grawity The answer was to install the entire certificate chain. Just noticed I never followed up. Feel free to make it an answer and I'll accept it.