40

I'm new to interact with Git and I'm trying to combine it with TFS infrastructure, but experiencing SSL authentication problems. No Github, no VSTS. TFS is on-premises, therefore local installation.

Server part:

I've installed TFS 2018 on Windows Server 2016 and create a corporate self signed certificate and bind the TFS web service (IIS manager) on that certificate.

TFS is configured to run only through HTTPS. HTTP is redirected to HTTPS. I've setup a new Project with Git as versioning system.

Client part:

I have two kind of Windows clients. Windows 7 SP1 and 10 Anniversary Update, both of them with Visual Studio 2017 Enterprise.

I installed the certificate (as Trusted Root Certification Authorities) and connecting through browser I have no whatsoever to see the project informations. No browser raise any kind of alerts regarding authenticity of certicate. Then, I installed Git-2.15.1.2-64-bit.exe, using Windows Secure Channel Library.

I followed this guide to configure Git clients, because I was getting title fatal error. So basically I extracted content of self-signed and appended to ca-bundle.crt file. All of them:

  • C:/Program Files/Git/mingw64/ssl/certs/
  • C:\users\myname (created as a global one just like guide says)
  • C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs (this is created by Visual Studio 2017 installation)

When I use through Powershell "git config --list --show-origin" command, I see listed: file:"C:\Program Files\Git\mingw64/etc/gifconfig" http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt file:"C:/users/myname/.gifconfig" http.sslcainfo=C:/users/myname/ca-bundle.crt

If I try to clone repository from VS2017 Team Explorer panel it keeps saying: "Git failed with a fatal error. fatal: unable to access 'https://tfs.blahblah/': SSL certificate problem: unable to get local issuer certificate"

But when I use Git GUI it answers with a different error: fatal: Couldn't find remote ref HEAD As far as I know it looks reasonable because there is no commit attached.

But I can't commit anything if I can't "pair" with Visual Studio 2017.

I read through several links, but I couldn't get it through. So before mark it as duplicated, I ask you to PLEASE pay attention to my specific system/environment requirements.

Note: and please don't suggest me to switch off SSL because as already talked it is NOT a solution in corporate/enterprise environments

DioBrando
  • 987
  • 3
  • 10
  • 22
  • According to the errors, seems your SSL setup is not configured properly, did you have any other ssl remote url, such as VSTS, have a test with it. – PatrickLu-MSFT Dec 06 '17 at 09:58
  • I think you should accept https://stackoverflow.com/a/54895121/193892 or edit your own answer to include the SChannel info. It worked nicely for me with VS 2017 and Azure Devops local server installation. – Prof. Falken Oct 01 '19 at 13:37

5 Answers5

79

Here what I did to fix my issue:

In Git Settings, Global Settings in Team Explorer, there is an option to choose between OpenSSL and Secure Channel.

Starting with Visual Studio 2017 (version 15.7 preview 3) use of SChannel in Git Global settings fixed my issue.

Anoj
  • 915
  • 7
  • 7
  • @PauloEduardoJardim can you please elaborate how you got this fixed in VS2019 – Anand Divakaran Aug 05 '20 at 05:55
  • 4
    This solution has fixed my issue in VS 2019. In case anyone is looking for the setting name, It is "Cryptographic network provider" in Visual Studio 2019. – BNJ Sep 02 '20 at 11:15
  • 1
    If you're cloning your first repo in VS, the Git Global settings aren't accessible. So I had to use the command prompt which correctly set things up for me. Just open it in your repos folder, and clone your repo using `git clone https://your/repo.git` – carlin.scott Sep 17 '20 at 19:04
  • 1
    It works for VS 2022 as well, property name is "Cryptographic network provider" (the same as in VS 2019) – Taras Pelenio May 24 '22 at 12:41
18

After two day with system admin support, I got the solution. I post it here in case it may help somebody else. Visual Studio 2017 looks not accepting a self signed certificate, as error states ("local issuer blah blah"). It has to be a local CA to approve it. Steps were:

Server:

  1. Install Company/Trusted CA on TFS machine as Trusted Authority root
  2. Preparing certificate for TFS and make it derive from company/trusted CA.
  3. Install it as Trusted Authority root in TFS machine
  4. Configure TFS-IIS binding in order to make TFS certificate to be compulsory for HTTPS connections

Client:

  1. Install CA certificate as Trusted Authority root on client machine (tried with Windows 7 and 10)
  2. Install TFS certificate as Trusted Authority root on client machine (you should see the lock in browser and connecting through it has to be recognized as secure)
  3. Install Git client (I have Git-2.15.1.2-64-bit).
  4. Run a shell (cmd, Powershell, Git-bash as you prefer) and digit this command: git config --global http.sslCAInfo C:/Users//ca-bundle.crt (because Git and Visual Studio have multiple folders where they store certificates, you are basically creating a global path for both of them)
  5. Now you should be able to see a new .gitconfig file with this content: [http] sslCAInfo = C:/Users//ca-bundle.crt
  6. if you digit command "git config --list --show-origin" you should see the new path/config added
  7. Copy ca-bundle.crt from C:\Program Files\Git\mingw64\ssl\certs path to C:/Users// path
  8. Export CA certificate as Base 64 X.509 (.CER) to up to you path (you can view certificates from IE Internet Options/Content/Certificates).
  9. Open it with editor like Notepad++ or whatever the CA certificate that you just exported. Content should be: -----BEGIN CERTIFICATE-----publickey-----END CERTIFICATE-----
  10. Copy this content
  11. Open the C:/Users//ca-bundle.crt and paste appending that content
  12. Export TFS certificate as Base 64 X.509 (.CER) to up to you path.
  13. Open it with the editor you prefer and copy the content
  14. Open the C:/Users//ca-bundle.crt and paste appending that content
  15. Save the file

Now you should be able to clone repository.

So basically the point is that certificate has to have the all chain authority in it and there has to be one.

DioBrando
  • 987
  • 3
  • 10
  • 22
14

You can do a quick workaround by:

git config --global http.sslVerify false

Ref: https://confluence.atlassian.com/bitbucketserverkb/ssl-certificate-problem-unable-to-get-local-issuer-certificate-816521128.html

user9371102
  • 1,278
  • 3
  • 21
  • 43
  • 2
    I feel it is important to note the disclaimer in the article: _"...please be advised disabling SSL verification globally might be considered a security risk and should be implemented only temporarily."_ – Telos Mar 17 '21 at 17:12
5

I faced the same issue. Below are two steps that worked for me to fix the issue:

  1. Go to Tools > Options > Source Control > Git Global Settings Set Cryptographic network provider as Secure Channel.
  2. Reconnect Project. Go to Team Explorer > Manage Connection > Connect to Project.
Shivam Pawar
  • 131
  • 2
  • 5
2

In a browser open the tfs url then click on the lock icon in the address bar then export the root certificate as Base 64 X.509 (.CER) then appended the root certificate to the cert file here: "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs\ca-bundle.crt"

Shahyad Sharghi
  • 660
  • 9
  • 12