VS 2022: "Error encountered while pushing to the remote repository: Git failed with a fatal error..."

Question

My company uses GitLab, and when I try to push to my remote feature branch using the Git UI in Visual Studio 2022, I get the following error in the Output window:

Git failed with a fatal error.
unable to access '<my gitlab server url>': 
  schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT"

I tried the following command that I saw in another solution git config --global http."<my gitlab server url>.sslCAInfo C:/path/to/cert.pem but it gives me the same error. The certificate used in the command I downloaded it from the GitLab server for the repo by clicking the padlock icon 🔏 and View Certificate.

This happens each time I push or pull from the UI. The error doesn't occur when I use a separate terminal like Git Bash or PowerShell.

Answer 1

After much gnashing of teeth and searching (and placing a bounty on this question) I was able to determine a workaround myself: Switch the Cryptographic network provider from OpenSSL to Secure Channel.

Under Tools > Options > Source Control > Git Global Settings

I don't know why OpenSSL gave me an error; perhaps there's a better solution that works with OpenSSL. But just using the Windows SSL implementation resolved it for me when connecting to my company's Azure DevOps repository.

Answer 2

It's likely that your company is using a self-signed corporate root certificate for your internal domain names.

On windows, git offers 2 implementations to setup a secure https connection. SChannel (secure channel) or OpenSSL.

It looks like your Visual Studio installation is defaulting to the SChannel implementation. In which case additional certificates must be installed into the Windows Certificate Store.

The SChannel implementation ignores the http.".sslCAInfo setting.

It's common for these certificates to be preinstalled on your system using a policy in windows. By switching to the Secure Channel security library, git is able to leverage Windows' internal methods for setting up an HTTPS connection and this method will automatically trust the certificates in the windows trust store.

In the case of the OpenSSL library the windows store is not trusted and the certificate must be saved seperately and configured through the http.".sslCAInfo configuration key in your git config.

It looks like your Git client is configured to use the Windows Certificate Store (the hint is in the word "schannel" in the logs).

To make the certificate trusted, you'll have to add it to the windows certificate store of either at the system level or in the certificate store of your user.

Alternatively, you can set the SSL implementation explicitly to OpenSSL using your global git config:

http.sslBackend - Name of the SSL backend to use (e.g. "openssl" or "schannel"). This option is ignored if cURL lacks support for choosing the SSL backend at runtime.

You can also set the Cryptographic Network Provider in the Visual Studio configuration under: Under Tools > Options > Source Control > Git Global Settings

Related:

• https://stackoverflow.com/a/48212753/736079
• https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate