SSL certificate rejected trying to access GitHub over HTTPS behind firewall

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

1. Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

   cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

   Here is how to do it. With cygwin setup.exe install curl and openssl packagesexecute:

   $ cd /usr/ssl/certs$ curl http://curl.haxx.se/ca/cacert.pem |  awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'$ c_rehash

   Important: In order to use c_rehash you have to install openssl-perl too.

2. Ignore SSL certificate verification.

   WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.

   $ env GIT_SSL_NO_VERIFY=true git clone https://github...

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

One way is to disable the SSL CERT verification:

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

For one repository only:

git config http.sslVerify false

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

mkdir ~/certscurl https://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfig to use this for peer verification:

[http]sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~ without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFO instead.

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

Edited to change from http to https.