Resolving SSL Self-Signed Certificate Errors

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.

If you're using a self-signed certificate on your Bitbucket server, you may receive SSL certificate errors when you try to perform certain actions. This page will help you resolve these errors.

Problem

When trying to perform a clone using instructions stated in Debug logging for Git operations on the client the following error is reported:

$ export GIT_CURL_VERBOSE=1

$ git clone https://username@git.example.com/scm/repository.git
Cloning into 'repository'...
* Couldn't find host git.example.com in the _netrc file; using defaults

* Adding handle: conn: 0x22a7568
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x22a7568) send_pipe: 1, recv_pipe: 0
* About to connect() to git.example.com port 443 (#0)
*   Trying 10.253.136.142...
* Connected to git.example.com (10.253.136.142) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt
  CApath: c:/Users/username/Downloads
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
fatal: unable to access 'https://username@git.example.com/scm/repository.git': SSL certificate problem: self signed certificate in certificate chain

Cause

This is caused by git not trusting the certificate provided by your server.

Workaround

One possible workaround is to temporary disable SSL check for your git command in case you only need to perform a one time clone:

GIT_SSL_NO_VERIFY=true git clone https://username@git.example.com/scm/repository.git

or

git remote add origin <gitrepo>
git config --global http.sslVerify false

The workaround is intended to be used for one-time only operations and not to be used frequently. Removing the SSL verification disproves the whole concept of having SSL implemented.

Resolution

Step1: Get a self-signed certificate of the remote server

There is multiple ways of exporting the certificate, Either from the Browser or using the OpenSSL command

Get Certificate using OpenSSL

Get Certificate using OpenSSL
$ echo | openssl s_client -servername NAME -connect HOST:PORT |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem

Get Certificate using the Web browser

Export Certificate in MAC

Trust Certificate in your browser

To trust a self-signed certificate, you need to add it to your Keychain.

The easiest way to do that is to open the site in question in Safari, upon which you should get this dialog box:

Click 'Show Certificate' to reveal the full details:

Export Certificate in .pem format

Git doesn't use the Mac OS X keychain to resolve this, so you need to trust the certificate explicitly. 

  1. If you haven't done so already, follow the steps in 'Trust certificate in your browser, above
  2. Open Applications > Keychain Access and select 'Certificates' in the lower-left pane
  3. Type the website into the Search field in the top-right
  4. Select the certificate entry for the website, then in the menu click File > Export Items
  5. In the Save dialog, change 'File Format' to 'Privacy Enhanced Mail (.pem)' and save the file somewhere on your drive
Export Certificate From Firefox
  • Access the URL of the remote server
  • Click the Open padlock in the address bar.

  • Click the arrow beside OpenConnection Secure.

  • Click More Information. The OpenPage Info dialog box opens.

  • Click View Certificate.
  • The Certificate page opens.
  • Scroll down to the Miscellaneous section.
  • In the Download row, click the PEM (cert) link.
  • In the dialog box that opens, click OK to save the certificate file to a known location.
  • Navigate to the location for saving the file, and then click Save.

Step 2: Configure Git to trust the Certificate

For MAC/Linux:

Once the certificate is saved on the client you can instruct your git client to use it to trust the remote repository by updating the local git config:

# Initial clone
GIT_SSL_CAINFO=/path/to/certificate.pem
git clone https://username@git.example.com/scm/repository.git

# Ensure all future interactions with origin remote also work
cd repository
git config http.sslCAInfo /path/to/certificate.pem

For Windows Client:

Step 1: Import  the certificate into the window trust store
Import a signed certificate into the local machine certificate store
  • Enter Start | Run | MMC.
  • Click File | Add/Remove Snap-in.

Image

  • In the Add or Remove Snap-ins window, select Certificates and click Add.

Image

  • Select the Computer account radio button when prompted and click Next

Image

  • Select Local computer (selected by default) and click Finish.

Image

  • Back in the Add or Remove Snap-ins window, click OK.

Image

  • In the MMC main console, click on the plus (+) symbol to expand the Certificate snap-in.
  • To import the CA certificate, navigate to Trusted Root Certification Authorities | Certificates pane.

Image

  • Right-click within the Certificates panel and click All Tasks | Import to start the Certificate Import wizard.

Image

Image

Image

  • On successfully importing the CA certificate the wizard will bring you back to the MMC main console.

Image

  • Close the MMC console.
Step 2: Configure git to use the certificate in the windows Trust store

When using Windows, the problem resides that git by default uses the "Linux" crypto backend. Starting with Git for Windows 2.14, you can configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. To do that, just run the following command in the GIT client:

git config --global http.sslbackend schannel

This means that it will use the Windows certificate storage mechanism and you don't need to explicitly configure the curl CA storage (http.sslCAInfo) mechanism. Once you have updated the git config, Git will use the Certificate in the Windows certificate store and should not require http.sslCAInfo setting.


DescriptionIf you're using a self-signed certificate on your Bitbucket server, you may receive SSL certificate errors when you try to perform certain actions. This page will help you resolve this errors.
ProductBitbucket
PlatformServer
Last modified on Mar 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.