When fetching with git on Cygwin you get:
Fetching origin
fatal: unable to access 'https://.../...git': SSL certificate problem: self signed certificate in certificate chain
error: Could not fetch origin
The certificate was added to /etc/ssl/certs/ca-bundle.crt
and other bundle files, but on the next Cygwin update the problem reappeared.
git-remote-https
will read the following files for ca certificates:If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.
The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:
The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:
Simpler instructions:
Simply copy the file(s) with your enterprise's trusted certificates (e.g.,
.crt
files) and copy them into the directory/etc/pki/ca-trust/source/anchors/
.Run
update-ca-trust extract
. This will generate various files to make everything work.You can add or remove files in the directory and re-run
update-ca-trust extract
.NOTE: If your organization is one of the rare ones who use specialized certificates in the extended
BEGIN TRUSTED
file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), there's a slight change in step 1. Basically, copy the certificates to the directory/etc/pki/ca-trust/source/
instead. There's no harm in copying them to the "usual" location, and moving them later if the "usual" directory doesn't work.For more details, run
man update-ca-trust
.