I'm stuck behind a firewall, so I have to use HTTPS to access my GitHub repository. I'm using Cygwin 1.7.7 on Windows XP.
I've tried setting the remote to https://username@github.com/username/ExcelANT.git, but pushing prompts for a password, but it doesn't do anything once I've entered it.
https://username:<password>github.com/username/ExcelANT.git and cloning the empty repository from scratch, but each time it gives me the same error:
error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
Turning on GIT_CURL_VERBOSE=1 gives me
* About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 * About to connect() to github.com port 443 (#0) * Trying 207.97.227.239... * successfully set certificate verify locations: * CAfile: none CApath: /usr/ssl/certs * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Expire cleared * Closing connection #0 error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs
fatal: HTTP request failed
Is this a problem with my firewall, Cygwin or what?
I hadn't set the HTTP proxy in the Git configuration. However, it's an ISA server that needs NTLM authentication, not basic, so unless anyone knows how to force Git to use NTLM, I'm scuppered.
Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling SSH through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.
There is a better way than using HTTP access and that is to use the SSH service offered by GitHub on port 443 of the ssh.github.com server.
We use a tool called Corkscrew. This is available for both Cygwin (through setup from the Cygwin homepage) and Linux using your favorite packaging tool. For Mac OS X it is available from MacPorts and Homebrew (executable brew) at least.
The command line is as follows:
corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>
The proxyhost and proxyport are the coordinates of the HTTPS proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a text file with one line containing your proxy server username/password separated by a colon.
E.g.:
abc:very_secret
Installation for using "normal" ssh protocol for Git communication.
By adding this to the ~/.ssh/config this trick can be used for normal SSH connections.
Host github.com
HostName ssh.github.com
Port 443
User git
ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth
Now you can test it works by ssh-ing to gitproxy:
ssh github.com
Output:
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
(Note: if you never logged into GitHub before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the GitHub site where you uploaded your key).
A slight variant on this method is the case when you need to access a repository with another key, e.g., to separate your private account from your professional account.
# Account dedicated for the ACME private GitHub account
#
Host acme.github.com
User git
HostName ssh.github.com
Port 443
ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
IdentityFile ~/.ssh/id_dsa_acme
Enjoy!
We've been using this for years now on both Linux, Macs and Windows.
If you want you can read more about it in this blog post.