Git for Windows with TFS and SSL behind a proxy

If you run your TFS on prem and use git for windows you may run into two issues. The first occurs if you use SSL for your TFS. The second occurs if you are behind a proxy.

Use Git for Windows with a corporate SSL certificate

If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:

fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate

The solution is described in MSDN article. It is outdated – that’s why I will explain it here. Export your root Certificate to a file. You can do this from within your browser. Open your TFS, click the lock symbol right to the url, and click view certificate. In the tab “Cerification Path” select the root and click view certificate again.

Extract-root-certificate

In the “Details” tab is a button to export the certificate. Use Base-64 encoded X.509 and save it to a file anywhere on your disk.

export-cert-to-file

Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.

add-cert-to-ca-bundle.crt

Now we have to configure git to use the new file:

git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

This will add the following entry to your .gitconfig file in the root of your user profile.

[http]
    sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

Use Git for Windows behind a proxy

If you are behind a proxy, it is pretty easy and well documented how you configure git to use it. The problem is that after that you cannot access your local TFS server. For that to work you have to add an exception for your local URL.

Open the .gitconfig file in the root of your user profile. Locate the http section. If your TFS uses SSL and you followed step one you should already have an entry with an sslCAInfo item. Add the url of your TFS to the section had and add a new section without the url. Add a proxy item to both items. Leave it blank for the entry that has your TFS url in it.

[http]
    proxy = "http://httpproxy.contoso.com:2233"
[http "https://tfs.contoso.com/tfs/"]
    proxy = ""
    sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

use-git-with-local-and-remote-repository

That’s it. Now you can work with repos in your company network and in the internet. This is true for all kind of git repos – not only TFS.

7 comments

  1. BTW good news! If you install a newer Git for Windows version and select “Secure Channel” as HTTPS backend instead of OpenSSL, it should work already after installing the certificate into your “Trusted Root Certification Authorities” Credential Store.

  2. Many many thanks for this.

    Minor typo:
    git config –global http.sslCAInfo C:/Users//ca-bundle.crt

    (web editor seems to change two minuses into a long hyphen)

  3. Doh, anyways, don’t copy paste the above line, and make sure you type two minuses instead of the long hyphen there (though not a mistake seasoned git veterans would make 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s