mackyle/git-osx-installer

Can't clone from github on lion due to "SSL Certificate Problem"

reeskm opened this issue · 7 comments

reeskm commented

With a clean install of 10.7.5 and default KeyChain roots, I installed latestest git-osx-installer with default options.

<host>:<dir> <user>$ git clone https://github.com/mypapit/cfourcc.git
Cloning into 'cfourcc'...
fatal: unable to access 'https://github.com/mypapit/cfourcc.git/': SSL certificate problem: Untrusted root certificate

Downloaded certificate from Firefox, and added to login keychain, set it to "always trust" and closed keychain. Logged out and back in.
DigiCertHighAssuranceEVRootCA.txt

Same output as above.

mackyle commented

There is a readme file at:

/opt/git/Library/Keychains/README_CERTIFICATES.rtf

You may want to take a look at that.

I'm pretty sure new roots have to be added to the System keychain, not the login keychain to be effective.

In any case what is the output from this:

GIT_CURL_VERBOSE=1 /opt/git/bin/git clone https://github.com/mypapit/cfourcc.git
reeskm commented

Read that. Added cert to System. Still no dice...


<host>:<dir> <user>$ GIT_CURL_VERBOSE=1 /opt/git/bin/git clone https://github.com/mypapit/cfourcc.git
Cloning into 'cfourcc'...
* Couldn't find host github.com in the .netrc file; using defaults
*   Trying 192.30.253.112...
* TCP_NODELAY set
* Connected to github.com (192.30.253.112) port 443 (#0)
* ---
* Server certificate(s)
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    k:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
* ---
* ---
* Candidate/partial certificate chain
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* +2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    d:2006-11-10T00:00:00Z,2031-11-10T00:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* ---
* SSL certificate problem: Untrusted root certificate
* Closing connection 0
fatal: unable to access 'https://github.com/mypapit/cfourcc.git/': SSL certificate problem: Untrusted root certificate
mackyle commented

Thank you for the info.

I have been able to reproduce this issue and identified the underlying problem.
(The real problem is that the Secure Transport documentation is wholly inadequate.)

In any case the root cause has to do with a behavior change in Secure Transport starting with 10.7 that's causing the super paranoid root certificate security check to start failing -- it thinks the root certificate is not in the list of trusted root certificates even though it is (10.7 is not setting a bit that's expected to be set).

In any case, I've tested a fix for this and it will be in the next releases. If you want to be notified by email when new releases are available, there's a link on the https://mackyle.github.io/git-osx-installer/ page (the "Subscribe" button) for this.

In the meanwhile there is a workaround that you can use:

mkdir -p "$HOME/certs"
security export -k /System/Library/Keychains/SystemRootCertificates.keychain \
  -t certs -f pemseq >"$HOME/certs/systemroots.pemseq"
git config --global http.sslCAInfo "$HOME/certs/systemroots.pemseq"

What this does is set an explicit list of trusted root certificates for Git. It creates the list by extracting it from the SystemRootCertificates.keychain file. Having an explicit list of root certificates works around the problem as it causes the proper bit to be set again.

Once you've installed a version with the fix, you can remove the setting like so:

git config --global --unset http.sslCAInfo

Which you'll probably want to do so you don't have to manually keep the systemroots.pemseq file updated.

reeskm commented

Thank you so much for an excellent response.

However, it still isn't working even with your workaround. I double and triple checked to make sure I wasn't making a mistake.

I've tried:

  1. Your instructions to the letter.
macpro:Source rees$ security export -k /System/Library/Keychains/SystemRootCertificates.keychain -t certs -f pemseq >"$HOME/certs/systemroots.pemseq"
macpro:Source rees$ git config --global http.sslCAInfo "$HOME/certs/systemroots.pemseq"
macpro:Source rees$ git config -l
http.sslcainfo=/Users/rees/certs/systemroots.pemseq
macpro:Source rees$ GIT_CURL_VERBOSE=1 /opt/git/bin/git clone https://www.github.com/mypapit/cfourcc.git
Cloning into 'cfourcc'...
* Couldn't find host www.github.com in the .netrc file; using defaults
*   Trying 192.30.253.113...
* TCP_NODELAY set
* Connected to www.github.com (192.30.253.113) port 443 (#0)
* Invalid CA certificate #219 (offset 327578) bad cert data in bundle
* SSL: can't load CA certificate file /Users/rees/certs/systemroots.pemseq
* Closing connection 0
fatal: unable to access 'https://www.github.com/mypapit/cfourcc.git/': Invalid CA certificate #219 (offset 327578) bad cert data in bundle
  1. Pasting previously attached .pem file for DigiCert High Assurance EV Root CA to the end of my systemroots.pemseq created in step 1, and deleting offending certificate at offset 327578 using vi's ":goto" command
macpro:Source rees$ GIT_CURL_VERBOSE=1 /opt/git/bin/git clone https://www.github.com/mypapit/cfourcc.git
Cloning into 'cfourcc'...
* Couldn't find host www.github.com in the .netrc file; using defaults
*   Trying 192.30.253.113...
* TCP_NODELAY set
* Connected to www.github.com (192.30.253.113) port 443 (#0)
* ---
* Server certificate(s)
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    k:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
* ---
* ---
* Candidate/partial certificate chain
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* +2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    d:2006-11-10T00:00:00Z,2031-11-10T00:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* ---
* SSL certificate problem: Untrusted root certificate
* Closing connection 0
fatal: unable to access 'https://www.github.com/mypapit/cfourcc.git/': SSL certificate problem: Untrusted root certificate
  1. Setting my http.sslCAInfo config var to the one supplied by git-osx-installer
macpro:Source rees$ git config --global http.sslCAInfo /opt/git/Library/Keychains/ca-certificates_pemseq.txt 
macpro:Source rees$ git config -l
http.sslcainfo=/opt/git/Library/Keychains/ca-certificates_pemseq.txt
macpro:Source rees$ GIT_CURL_VERBOSE=1 /opt/git/bin/git clone https://www.github.com/mypapit/cfourcc.git
Cloning into 'cfourcc'...
* Couldn't find host www.github.com in the .netrc file; using defaults
*   Trying 192.30.253.113...
* TCP_NODELAY set
* Connected to www.github.com (192.30.253.113) port 443 (#0)
* ---
* Server certificate(s)
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    k:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
* ---
* ---
* Candidate/partial certificate chain
*  0 s:/businessCategory=Private Organization/jurisdictionOfIncorporationCountry=US/jurisdictionOfIncorporationStateOrProvince=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
*    d:2016-03-10T00:00:00Z,2018-05-17T12:00:00Z
*    a:github.com,www.github.com
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
*    d:2013-10-22T12:00:00Z,2028-10-22T12:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* +2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
*    d:2006-11-10T00:00:00Z,2031-11-10T00:00:00Z
*    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
* ---
* SSL certificate problem: Untrusted root certificate
* Closing connection 0
fatal: unable to access 'https://www.github.com/mypapit/cfourcc.git/': SSL certificate problem: Untrusted root certificate

Is this still related to the problem you found earlier, in Lion? Can you reproduce this also?
This is getting really weird...

If needed I can regression test this on Tiger as I have a lot of G4s to play with.

jasonrohrer commented

I had a similar problem on Leopard (10.5), and here's what I did to solve it:

After installing git, look here:

/opt/git/Library/Keychains/README_CERTIFICATES.rtf

Double-click the .keychain file in there to add it.

Then run this to see which root certificates are failing:

GIT_CURL_VERBOSE=1 git clone https://github.com/jasonrohrer/minorGems.git

Search the Keychain Access interface under ca-certificates to find the untrusted roots and manually trust them.

This should now work:

git clone https://github.com/jasonrohrer/minorGems.git

mackyle commented

@reeskm ,

I apologize for taking so long to get back to you. I originally verified the issue and created the initial fix using 10.11. I also verified the workaround there.

Unfortunately, the workaround did not seem to work for you.

I hate it when developers say "works for me" and ignore it – I've been on the receiving end of that and I don't much like it.

Also I apologize for the "offending certificate" problem you found – I had previously found and fixed that but forgot that it’s not actually in any released version of the installer. (If you’re curious, the problem root certificate isn’t really in true DER form, but since nothing else complains about it I relaxed that check a little bit.)

I really needed full access to a 10.7 system to proceed. I finally managed that and some time.

It turns out that Secure Transport on 10.7 is a really perverse beast.

(FYI 10.4, 10.5, 10.6 and 10.8 are all fine, don’t recall whether or not I checked 10.9 or 10.10; 10.13 adds support for TLS 1.3 and ALLEGEDLY the rumor going around is that under-the-hood Secure Transport may have been replaced by das goo*le’s BoringSSL to make that happen.)

I was finally able to duplicate the failure of the workaround.

Turns out you shot yourself in the foot. ;)

To make the workaround work on 10.7 for you:

  1. Open up “Keychain Access” and find the “DigiCert High Assurance EV Root CA” certificate.
  2. Double click on it to get the info dialog
  3. Click the disclosure triangle next to “Trust”
  4. Change it to “Use System Defaults”
  5. Close the dialog and enter your password if requested then quit “Keychain Access”
  6. Make a folder in your home directory named “certs” if you do not already have one
  7. Save the attached “github_root_pem.txt” file in there
  8. Open a Terminal window and type this git command:
    git config --global http.https://github.com.sslCAInfo "$HOME/certs/github_root_pem.txt"

The problem with the workaround is that if the certificate already exists in the keychain (that certificate does on 10.7) AND has any trust setting other than “Use System Defaults” then Secure Transport ignores it on 10.7 when you specify it as a custom root with the “sslCAInfo” setting and tell Secure Transport to use only those roots.

Basically, by setting it to “Always Trust” that breaks the workaround on 10.7.

I was planning to release some new installer versions with a fix for this (and some other goodies) and even a way for pre-10.8 folks to use TLS 1.2 connections before the end of the year, but with only two days left I'm not sure I'm going to make that...

Thanks for your bug report – the resulting fix makes it better for everyone!

FYI, if you want a lighter weight way to verify it’s working without actually doing a clone use this command:

git ls-remote https://github.com/git/git.git pu

github_root_pem.txt

  • 👍1
reeskm commented

Fantastic! That worked for me.

I have a very wide variety of older systems, for my own personal research, and have to say that with every site turning to SSL in order to avoid easy sniffing of traffic, I've been banging my head against the wall.

You deserve a big award for actually caring and supporting systems like 10.4, which power my massive PPC Xserve cluster. Finally, I've got an easy to use, working git on Lion without having to install macports, or roll my own custom compile, which is getting really time consuming to maintain on dozens of older systems.

              .-=========-.
              \'-=======-'/
              _|   .=.   |_
             ((|  {{1}}  |))
              \|   /|\   |/
               \__ '`' __/
                 _`) (`_
               _/_______\_
              /___________\