Month: November 2024

Understanding and Fixing Git SSL Certificate Issues in Corporate Environments

/ Konkretor / Leave a comment

If you’re working in a corporate environment and seeing Git SSL certificate errors, you’re likely dealing with SSL inspection (also known as SSL interception or HTTPS inspection) at your company’s firewall. Let’s understand what’s happening and how to fix it.

The Real Problem

When you see this error:

git/': SSL certificate problem: unable to get local issuer certificate

In a corporate environment, this happens because:

  1. Your company’s firewall is performing SSL inspection
  2. The firewall decrypts and re-encrypts all HTTPS traffic
  3. Git doesn’t trust the certificate used by the firewall for re-encryption

What is SSL Inspection?

In corporate environments, security teams implement SSL inspection to:

  • Monitor all encrypted traffic for security threats
  • Prevent data leaks
  • Detect malware in encrypted connections

This process works by:

  1. Intercepting the HTTPS connection
  2. Decrypting the traffic at the firewall
  3. Inspecting the contents
  4. Re-encrypting with the company’s own certificate
  5. Forwarding to your computer

The Solution

1. Get Your Company’s Root Certificate

First, you need to obtain your company’s root certificate:

  • Ask your IT department for the corporate root certificate
  • They might call it “SSL inspection certificate” or “HTTPS inspection certificate”
  • Sometimes it’s automatically deployed via group policy

2. Install the Certificate

For Windows:

# Add the certificate to the Windows certificate store, only needed if no certificate is distributed from the IT department
certutil -addstore -f "ROOT" company-root-cert.crt

# Configure Git to use Windows certificate store, this step is mandatory
git config --global http.sslbackend schannel

For Linux:

# Copy the certificate
sudo cp company-root-cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Configure Git to use the system certificate store
git config --global http.sslcainfo "/etc/ssl/certs/ca-certificates.crt"

3. Verify the Configuration

Test your setup with:

git ls-remote https://github.com/any-repo/any-project.git

Common Pitfalls to Avoid

  1. Don’t Disable SSL Verification
   # DON'T do this - it's unsafe
   git config --global http.sslVerify false
  1. Don’t Use Generic Online Solutions
  • Many online solutions suggest downloading certificates from public sources
  • These won’t work with corporate SSL inspection
  • Always use your company’s certificates

For System Administrators

If you’re managing this for your organization:

  1. Group Policy Distribution
  • Deploy the corporate root certificate via GPO
  • Configure Git settings automatically
  • Document the certificate location
  1. Documentation for Developers
  • Provide clear instructions for certificate installation
  • Include troubleshooting steps
  • List supported Git versions

Security Considerations

Understanding what’s happening:

  • Your traffic is decrypted at the corporate firewall
  • This is normal and secure within corporate networks
  • The company certificate creates a new trusted chain
  • All internal systems need to trust this certificate

Troubleshooting Steps

If you’re still having issues:

  1. Verify Certificate Installation
  • Check if the certificate appears in your system’s trust store
  • Ensure it’s in the correct store (usually “Trusted Root Certification Authorities”)
  1. Test Basic Connectivity
   curl -v https://github.com

Conclusion

SSL certificate issues in corporate environments are usually related to SSL inspection at the firewall level. The solution is not to bypass security but to properly configure Git to trust your company’s certificates.

Remember:

  • Always use your company’s certificates
  • Never disable SSL verification
  • Keep your certificates updated
  • Contact IT if you need the correct certificates

Has this helped you resolve your Git SSL issues in your corporate environment? Share your experience in the comments!

How to Fix pip SSL Certificate Verification Errors in Python

/ Konkretor / Leave a comment

Having trouble installing Python packages with pip? Getting that frustrating SSL certificate verification error? You’re not alone. In this post, I’ll explain what’s causing this common issue and show you how to fix it quickly and securely.

The Problem

When trying to install Python packages using pip, you might encounter this error:

SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))

This error occurs when pip cannot verify the SSL certificate of PyPI (Python Package Index) servers. It’s a security feature meant to protect you from potential man-in-the-middle attacks, but it can be frustrating when you’re just trying to install packages.

Understanding the Cause

This issue typically happens because:

  1. Your system’s SSL certificates are not up to date
  2. The SSL certificates are missing entirely
  3. Your system can’t locate the certificate store

The Solution

There are several ways to resolve this issue. I’ll present them in order of recommended approach:

1. Install System Certificates (Recommended)

The most secure and recommended solution is to install the system certificates:

pip install pip-system-certs

This package ensures pip uses your system’s certificate store, which is typically more secure and up-to-date.

2. Configure Trusted Hosts

If the above solution doesn’t work, you can explicitly tell pip to trust PyPI’s hosts:

pip config --global set global.trusted-host "pypi.org files.pythonhosted.org"

Or use it directly in your pip install command:

pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package-name>

3. Update Your Certificates

On some systems, you might need to update your certificate store:

  • Windows: Update Windows and Python to the latest version
  • macOS: Run the “Install Certificates.command” in your Python folder
  • Linux: Update ca-certificates package:
  sudo apt-get update
  sudo apt-get install ca-certificates

Best Practices and Security Considerations

While the trusted-host approach works, it’s important to understand that it bypasses SSL verification. This should only be used in controlled environments where you’re certain about the security of your network.

Always prefer using proper SSL certificates when possible, as they provide:

  • Protection against man-in-the-middle attacks
  • Verification of package source authenticity
  • Secure encrypted communication

Alternative Solutions

If you’re working in a corporate environment, you might also:

  1. Configure pip to use your corporate proxy
  2. Set up a local PyPI mirror
  3. Use a custom certificate authority

Conclusion

SSL certificate errors can be frustrating, but they exist for a good reason – your security. The recommended approach is to install system certificates using pip-system-certs. If that doesn’t work, configuring trusted hosts is a quick fix, but remember to consider the security implications.

Remember: Security features like SSL verification are there to protect you and your code. While it might be tempting to disable them, it’s always better to fix the underlying certificate issues properly.

Have you encountered other pip-related issues? Let me know in the comments below!