If you run your TFS on prem and use git for windows you may run into two issues. The first occurs if you use SSL for your TFS. The second occurs if you are behind a proxy.
Use Git for Windows with a corporate SSL certificate
If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:
fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate
The solution is described in MSDN article. It is outdated – that’s why I will explain it here. Export your root Certificate to a file. You can do this from within your browser. Open your TFS, click the lock symbol right to the url, and click view certificate. In the tab “Cerification Path” select the root and click view certificate again.
In the “Details” tab is a button to export the certificate. Use Base-64 encoded X.509 and save it to a file anywhere on your disk.
Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.
Now we have to configure git to use the new file:
git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt
This will add the following entry to your .gitconfig file in the root of your user profile.
[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt
Use Git for Windows behind a proxy
If you are behind a proxy, it is pretty easy and well documented how you configure git to use it. The problem is that after that you cannot access your local TFS server. For that to work you have to add an exception for your local URL.
Open the .gitconfig file in the root of your user profile. Locate the http section. If your TFS uses SSL and you followed step one you should already have an entry with an sslCAInfo item. Add the url of your TFS to the section had and add a new section without the url. Add a proxy item to both items. Leave it blank for the entry that has your TFS url in it.
[http] proxy = "http://httpproxy.contoso.com:2233" [http "https://tfs.contoso.com/tfs/"] proxy = "" sslCAInfo = C:/Users/<yourname>/ca-bundle.crt
That’s it. Now you can work with repos in your company network and in the internet. This is true for all kind of git repos – not only TFS.
21 thoughts on “Git for Windows with TFS and SSL behind a proxy”
Many Thanks! It was very helpfull, and solved my problem.
You are welcome 🙂
BTW good news! If you install a newer Git for Windows version and select “Secure Channel” as HTTPS backend instead of OpenSSL, it should work already after installing the certificate into your “Trusted Root Certification Authorities” Credential Store.
I installed git for windows version 2.16.1.windows.1 with “use the native windows secure channel library” selected and the self signed certs already pushed to trusted root certification authorities folder and intermediate certification authorities folder. Still got the same error when trying to clone with Visual Studio 2017 (not console or VS Code).
Many many thanks for this.
git config –global http.sslCAInfo C:/Users//ca-bundle.crt
(web editor seems to change two minuses into a long hyphen)
Thanks for the hint. I fixed it.
how can I set up git to support the CA Root certificate for some repos, but not use it for repos on github.com?
Doh, anyways, don’t copy paste the above line, and make sure you type two minuses instead of the long hyphen there (though not a mistake seasoned git veterans would make 😉
I’m sorry but it does not work to me.
I’m using a Corporate/Self Signed certificate that is placed under “Trusted Root Certification Authorities”.
I installed Git for Windows using “Windows Secure Channel Library” and I got “SSL certificate problem: unable to get local issuer certificate” error message.
I followed this guide and proceeded but now with git config –global http.sslCAInfo C:/Users//ca-bundle.crt
I see two ../ca-bundle.crt
One is there, and there is another one under C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt.
I modified also this crt including the content of the extracted self-signed certificate.
So basically they are the same file.
I also modified the crt under Visual Studio Git installation (path: C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs)
But yet I wasn’t able to clone repository.
Any other ideas?
Locate the .gitconfig in your user profile and check the sslCAInfo path in the http section. In this crt file your root certificate must be correct (with start and end section). This still works after updating git for windows. If this doesen’t work you can try the method of schindelin and reinstall git for windows and choose “Secure Channel”. I havn’t tried that yet.
Another happy reader of this blog post 🙂
I will be working on fixes in the am. Thank for you help
Everyone. Michael Peoni
Had to work security today
And how. Do i get email encrypted
Worked great, thanks!
Thanks! This fix was great!
Thanks for writing this.
My certificate is OTP AVAILABLE