Visual Studio 2017 Enterprise + TFS 2018 + Git Clone = Unable to get local issuer certificate

git tfs visual-studio-2017 ssl-certificate

42,443

Solution 1

Here what I did to fix my issue:

In Git Settings, Global Settings in Team Explorer, there is an option to choose between OpenSSL and Secure Channel.

Starting with Visual Studio 2017 (version 15.7 preview 3) use of SChannel in Git Global settings fixed my issue.

Solution 2

After two day with system admin support, I got the solution. I post it here in case it may help somebody else. Visual Studio 2017 looks not accepting a self signed certificate, as error states ("local issuer blah blah"). It has to be a local CA to approve it. Steps were:

Server:

Install Company/Trusted CA on TFS machine as Trusted Authority root
Preparing certificate for TFS and make it derive from company/trusted CA.
Install it as Trusted Authority root in TFS machine
Configure TFS-IIS binding in order to make TFS certificate to be compulsory for HTTPS connections

Client:

Install CA certificate as Trusted Authority root on client machine (tried with Windows 7 and 10)
Install TFS certificate as Trusted Authority root on client machine (you should see the lock in browser and connecting through it has to be recognized as secure)
Install Git client (I have Git-2.15.1.2-64-bit).
Run a shell (cmd, Powershell, Git-bash as you prefer) and digit this command: git config --global http.sslCAInfo C:/Users//ca-bundle.crt (because Git and Visual Studio have multiple folders where they store certificates, you are basically creating a global path for both of them)
Now you should be able to see a new .gitconfig file with this content: [http] sslCAInfo = C:/Users//ca-bundle.crt
if you digit command "git config --list --show-origin" you should see the new path/config added
Copy ca-bundle.crt from C:\Program Files\Git\mingw64\ssl\certs path to C:/Users// path
Export CA certificate as Base 64 X.509 (.CER) to up to you path (you can view certificates from IE Internet Options/Content/Certificates).
Open it with editor like Notepad++ or whatever the CA certificate that you just exported. Content should be: -----BEGIN CERTIFICATE-----publickey-----END CERTIFICATE-----
Copy this content
Open the C:/Users//ca-bundle.crt and paste appending that content
Export TFS certificate as Base 64 X.509 (.CER) to up to you path.
Open it with the editor you prefer and copy the content
Open the C:/Users//ca-bundle.crt and paste appending that content
Save the file

Now you should be able to clone repository.

So basically the point is that certificate has to have the all chain authority in it and there has to be one.

Solution 3

You can do a quick workaround by:

git config --global http.sslVerify false

Ref: https://confluence.atlassian.com/bitbucketserverkb/ssl-certificate-problem-unable-to-get-local-issuer-certificate-816521128.html

Solution 4

In a browser open the tfs url then click on the lock icon in the address bar then export the root certificate as Base 64 X.509 (.CER) then appended the root certificate to the cert file here: "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs\ca-bundle.crt"

Solution 5

I faced the same issue. Below are two steps that worked for me to fix the issue:

Go to Tools > Options > Source Control > Git Global Settings Set Cryptographic network provider as Secure Channel.
Reconnect Project. Go to Team Explorer > Manage Connection > Connect to Project.

View more solutions

42,443

Author by

DioBrando

Updated on November 18, 2021

Comments

DioBrando over 2 years
I'm new to interact with Git and I'm trying to combine it with TFS infrastructure, but experiencing SSL authentication problems. No Github, no VSTS. TFS is on-premises, therefore local installation.

Server part:

I've installed TFS 2018 on Windows Server 2016 and create a corporate self signed certificate and bind the TFS web service (IIS manager) on that certificate.

TFS is configured to run only through HTTPS. HTTP is redirected to HTTPS. I've setup a new Project with Git as versioning system.

Client part:

I have two kind of Windows clients. Windows 7 SP1 and 10 Anniversary Update, both of them with Visual Studio 2017 Enterprise.

I installed the certificate (as Trusted Root Certification Authorities) and connecting through browser I have no whatsoever to see the project informations. No browser raise any kind of alerts regarding authenticity of certicate. Then, I installed Git-2.15.1.2-64-bit.exe, using Windows Secure Channel Library.

I followed this guide to configure Git clients, because I was getting title fatal error. So basically I extracted content of self-signed and appended to ca-bundle.crt file. All of them:
- C:/Program Files/Git/mingw64/ssl/certs/
- C:\users\myname (created as a global one just like guide says)
- C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs (this is created by Visual Studio 2017 installation)
When I use through Powershell "git config --list --show-origin" command, I see listed: file:"C:\Program Files\Git\mingw64/etc/gifconfig" http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt file:"C:/users/myname/.gifconfig" http.sslcainfo=C:/users/myname/ca-bundle.crt

If I try to clone repository from VS2017 Team Explorer panel it keeps saying: "Git failed with a fatal error. fatal: unable to access 'https://tfs.blahblah/': SSL certificate problem: unable to get local issuer certificate"

But when I use Git GUI it answers with a different error: fatal: Couldn't find remote ref HEAD As far as I know it looks reasonable because there is no commit attached.

But I can't commit anything if I can't "pair" with Visual Studio 2017.

I read through several links, but I couldn't get it through. So before mark it as duplicated, I ask you to PLEASE pay attention to my specific system/environment requirements.

Note: and please don't suggest me to switch off SSL because as already talked it is NOT a solution in corporate/enterprise environments
Anand Divakaran over 3 years

@PauloEduardoJardim can you please elaborate how you got this fixed in VS2019
BNJ over 3 years

This solution has fixed my issue in VS 2019. In case anyone is looking for the setting name, It is "Cryptographic network provider" in Visual Studio 2019.
carlin.scott over 3 years

If you're cloning your first repo in VS, the Git Global settings aren't accessible. So I had to use the command prompt which correctly set things up for me. Just open it in your repos folder, and clone your repo using git clone https://your/repo.git
Telos about 3 years

I feel it is important to note the disclaimer in the article: "...please be advised disabling SSL verification globally might be considered a security risk and should be implemented only temporarily."
Ester Kaufman over 2 years

thanks. this help me with VS2022
Taras Pelenio almost 2 years

It works for VS 2022 as well, property name is "Cryptographic network provider" (the same as in VS 2019)