Authentication failed on a specific machine via HTTPS with git bash - follow up question

Question

With this previous answer I was able to use git clone, etc using SSH on the problematic machine. But - only on such machine - I'm still getting an error from git bash for https:

$ git clone https://giuliohome:mypassword@github.com/giuliohome/MyPrivateRepo.git
Cloning into 'MyPrivateRepo'...
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/giuliohome/MyPrivateRepo.git/'

I've tried to create a personal access token via github web settings and use it instead of the password but it also fails like above on the problematic machine (again, it works on another machine).

I've also tried to remove/change/add the git credentials through windows credential manager.

Edit Sorry guys, my original problem was

certificate problem: unable to get local issuer certificate

(The problem originated yesterday after an update of tortoisegit killed an explorer process and messed up something in my pc...)

I tried the quick workaround sslVerify = false and I got the above error, but returning to true I see the certificate problem back

Here the requested details

MYDOMAIN+MYDOMAINUSER@MYMACHINE MINGW64 /c/sviluppi/.../code/git/test2
$ git config -l --show-origin
file:C:/Program Files/Git/etc/gitconfig diff.astextplain.textconv=astextplain
file:C:/Program Files/Git/etc/gitconfig filter.lfs.clean=git-lfs clean -- %f
file:C:/Program Files/Git/etc/gitconfig filter.lfs.smudge=git-lfs smudge -- %f
file:C:/Program Files/Git/etc/gitconfig filter.lfs.process=git-lfs filter-process
file:C:/Program Files/Git/etc/gitconfig filter.lfs.required=true
file:C:/Program Files/Git/etc/gitconfig http.sslbackend=openssl
file:C:/Program Files/Git/etc/gitconfig http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
file:C:/Program Files/Git/etc/gitconfig core.autocrlf=true
file:C:/Program Files/Git/etc/gitconfig core.fscache=true
file:C:/Program Files/Git/etc/gitconfig core.symlinks=false
file:C:/Program Files/Git/etc/gitconfig core.editor="C:\\Program Files\\Notepad++\\notepad++.exe" -multiInst -notabbar -nosession -noPlugin
file:C:/Program Files/Git/etc/gitconfig credential.helper=manager
file:C:/Users/mydomainuser/.gitconfig        user.name=Giulio
file:C:/Users/mydomainuser/.gitconfig        user.email=giuliohome@xxxx.com
file:C:/Users/mydomainuser/.gitconfig        http.sslverify=true
file:C:/Users/mydomainuser/.gitconfig        credential.https://github.com.helper=manager
file:C:/Users/mydomainuser/.gitconfig        credential.https://github.com.username=giuliohome

I'm on Windows 10 Enterprise, I wish to use tortoisegit in the end but at the moment I'm blocked at git bash level. So now I'm using the pure git and I want to solve the issue there, then I guess I will be able to return to tortoisegit (again, I'm speaking about git https, because git ssh works as already said)

This is my c:\users\mydomainuser\.gitconfig now

[user]
    name = Giulio
    email = giuliohome@xxxx.com
[http]
    sslVerify = true
    sslbackend = openssl
    sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
[credential "https://github.com"]
    helper = manager
    username = giuliohome

after replacing sslbackend=schannel with openssl I get unable to get local issuer certificate

Finally, let me add that McAfee Endpoint Security is active on this machine and also the Blue Coat Unified Agent.

Alright. Can you please share your github config using `git config -l --show-origin` — CodeTalker, Apr 09 '20 at 08:33
Are you using Git Client of windows or some other git client. Like you mentioned you are using tortoisegit ? — CodeTalker, Apr 09 '20 at 08:41

CodeTalker · Answer 1 · 2020-04-09T09:15:01.520

1

The problem here is you are using your git client is using global git config stored in your home directory (C:/Users/mydomainuser/.gitconfig), this git config does not have ssl-backend and ssl-cainfo values set. You need to add these two lines in C:/Users/mydomainuser/.gitconfig

http.sslbackend=openssl
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

edited Apr 09 '20 at 09:15

answered Apr 09 '20 at 08:46

CodeTalker

1,201
11
21

Remove `http.sslbackend=schannel`, you need to keep only one ssl-backend, either openssl or schannel. – CodeTalker Apr 09 '20 at 08:54
I get certificate problem: unable to get local issuer certificate – Giulio Apr 09 '20 at 08:57
Remove ```http.sslbackend=openssl http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt``` these two lines and add only ```http.sslbackend=schannel```. Check and comment here – CodeTalker Apr 09 '20 at 09:00
In this case " fatal: Authentication failed for 'https://github.com/giuliohome/mypriivaterepo.git' " – Giulio Apr 09 '20 at 09:03
Now add this line also `http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt`. Check and comment here – CodeTalker Apr 09 '20 at 09:04
giving you credit for your effort anyway, even if the issue is not solved. I'm afraid that there is something at operating system level that got corrupted yesterday. I see a strange thing with permissions on some folder and with messages from enterprise antivirus... maybe something in my profile.Hope that you or someone can still give the right final suggestion to solve this. Even if I can already keep working with ssh – Giulio Apr 09 '20 at 09:17
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/211273/discussion-between-codetalker-and-giulio). – CodeTalker Apr 09 '20 at 09:20

Giulio · Accepted Answer · 2020-04-11T09:02:41.153

I suspect that the https connection is actually blocked, based on the IP address of the machine, by some security mechanism.

I've derived this because if I change the ip of the machine and I produce a new personal access token, it seems to work for just a single time, one shot, hence I'd guess that it is a security firewall on the network is silently blocking the connection. They also told me that, by looking at McAfee logs, the issue is not there. I've done a test by cloning a bitbucket private repo on the same machine but the authorization fails, so github looks not at fault either...

So finally I'd say it could be Blue Coat Unified Agent as described in this answer.

Yes, this is confirmed, I have momentarily disconnected the Blue Coat Unified Agent and git clone is now working as expected also via https. To definitely fix it they noticed from git verbose the error 401 and maybe entrusted github certificate.

As far as the description of the original problem is concerned, see also the following sentence reported in the steps to reproduce this github issue about the context of "Multiple issues related to SSL Interception (environs with proxy, enterprise MITM, etc)"

Recommend setting up a lab and configuring an Enterprise grade security product such as BlueCoat or similar that does MITM, then using internal certificates for the pass-back.

By the way, this morning I've also noticed that the same Bluecoat Unified Agent is also causing a failure in Visual Studio 2019 latest update to the 16.5.5 version and I've had to deactivate it to complete the update. — Giulio, May 14 '20 at 09:36

Authentication failed on a specific machine via HTTPS with git bash - follow up question

2 Answers2

Linked