Unable to clone, fetch, or push on GitHub (with enterprise TLS/SSL Inspection)

[regan-sarwas]

All these actions fail with:

fatal: unable to access 'https://github.com/regan-sarwas/XXX.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Details:

I am using GitHubDesktop v1.0.2 on Windows 10 Enterprise (version 1067). My organization (Department of the Interior) is doing TLS inspection (man in the middle attack). The network administrators have configured the system so that the browsers (chrome and IE) trust the enterprise root CA. However for some tools (like python's pip) that use their own bundled certificates, I have a copy of our root CA that I can pass on the command line so that they can work with the TLS proxy. Otherwise I'm quite ignorant on how this works.

Luckily I still have GitHub classic (Chocolate-Covered Yaks (3.3.4.0) 50415df) which works fine doing all the above despite the TLS inspection. I'd love to use the new app, but I lack the knowledge to get around this problem.

BTW, The app is able to list my github repos and update itself from 1.0.1 to 1.02, which presumably happens over https.
BTW2, GitHub Desktop 1.0.2 works fine on my Mac (v10.12.6). Our enterprise root CA is in my keychain.

[shiftkey]

@regan-sarwas GitHub Desktop on Windows now defaults to using the Secure Channel APIs that are part of Windows (previously it would use OpenSSL by default) so in theory it should respect whatever certificates you have installed on your machine.

Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

I've had a few reports of this specific error, but it's not been made clear to me how we might be misusing the SChannel APIs, so the best advice I have for you is how to switch over to using the classic OpenSSL APIs alongside your own certificate bundle.

Open a shell to your repository and run these command:

$ git config --local http.sslBackend "openssl"
$ git config --local http.sslCAInfo [path to .pem file]

Then test it out with a git fetch to ensure it is able to connect to your server.

[rsarwas]

Thanks @shiftkey. I won't be able to test until I'm back at work on Monday.

[regan-sarwas]

Problem solved. Thanks @shiftkey.

Since the git shell is no longer part of desktop, I wasn't sure if the choice of command line git would make any difference. I ended up installing Git for Windows. Luckily, Git for Windows and GitHub Desktop share the same global config file, so I was able to do

$ git config --global http.sslBackend "openssl"
$ git config --global http.sslCAInfo [path to .pem file]

Now I do not have to set this for all my repos, and cloning a new repo works.

I'm still curious to figure out what is wrong with my system cert store or maybe Secure Channel. If I can figure anything out on that front I'll report back.

[shiftkey]

@regan-sarwas yep, installing it globally is fine once you've confirmed it addresses the issue.

Please do report back if you find out more about the original setup with SChannel and the system certificate store.

[saiprasad2595]

For me the problem was in environmental variables and .npmrc file.I had the proxy settings of
HTTP_PROXY= http://example.com
HTTPS_PROXY= http://example.com

Deleted both the keys and re-opened command prompt. Issue resolved.

[flyq]

I fixed this by stop my proxy app