31

Since the update to OS X 10.9.2 I am not able to clone any git repository from github.com

If I run the git clone command I get the following error:

git clone https://github.com/davedelong/DDMathParser.git
Cloning into 'DDMathParser'...
fatal: unable to access 'https://github.com/davedelong/DDMathParser.git/': SSL certificate problem: Invalid certificate chain

It does not matter which repository I use. I also tried it with the Github desktop client.

So I check the SSL certificate from github.com via Safari and got the info, that the ssl-cert is not valid.

Here is a screenshot of my problem: https://dl.dropboxusercontent.com/u/215017/github_problem.png

Any ideas? Is my SSL certificate broken?

patrickS
  • 1,417
  • 1
  • 11
  • 10
  • Same for me. And also from the console: SSL certificate problem: Invalid certificate chain. Also since I upgraded to OSX 10.9.2 this morning – frandevel Feb 26 '14 at 16:00

6 Answers6

42

I recently (Jul 2014) had a similar issue and found on OS X (10.9.4) that there was a "DigiCert High Assurance EV Root CA" certificate had expired (although I had another unexpired one as well).

  1. Open Keychain Access
  2. search Certificates for "DigiCert"
  3. View menu > Show Expired Certificates

I found two certificates named "DigiCert High Assurance EV Root CA", one expiring Nov 2031 and the expired one at July 2014 (a few of days previously). Deleting the expired certificate resolved the issue for me.

Hope this helps.

craigb
  • 528
  • 1
  • 4
  • 5
13

I fixed my problem by checking my Keychain (Application -> Utilities -> Keychain Access.app)

I figured out that I had a own Digicert Certificate in my loging Keychain. It looks like this was broken. I have removed it and after this everything works fine.

Now https://github.com has a green "button" in the url bar instead of an grey one.

patrickS
  • 1,417
  • 1
  • 11
  • 10
  • Same here. For some reason had a Digicert CA root in my "login" items in Keychain. Removing it fixed the issue but I'm not sure what side effect it has elsewhere or why a CA was in my login items. – ekeyser Feb 27 '14 at 17:31
  • I am slightly disturbed that these apparently incorrect certificates made it to the keychain... – zneak Mar 31 '14 at 18:00
  • Me too... no idea how it got there. In my case I had two certes, one was CA... – Nicolas Miari Apr 09 '14 at 12:50
  • Same problem, same fix. I'd also love to know where it came from. – Ryan Ore Apr 21 '14 at 17:26
  • Has anyone found an explanation for this bizarre phenomenon? – Joe Carroll Jun 09 '14 at 17:34
  • I just fixed applied this fix on a friend's system. On my working system, the "Login" section has no certificates, but his had a bunch. I just deleted them all. – event_jr Jul 14 '14 at 14:30
  • @patrickS Well, I removed the certificate, still getting same error. Can you guide please? My Question is given here: http://stackoverflow.com/questions/24906858/unable-to-access-github-on-browser-neither-able-to-cone-it-due-to-ssl-certificat – Volatil3 Jul 23 '14 at 20:12
  • Just to make sure folks find this link: [DigiCert: Fix for an Expired Intermediate SSL Certificate Chain](https://blog.digicert.com/expired-intermediate-certificate/). Not to state the obvious, but I think it's important to point out that folks should be deleting the "expired" version of the `DigiCert High Assurance EV Root CA` certificate. – mhulse Jul 28 '14 at 22:05
6

Go to the Keychain in OSX and look for "Digicert High Assurance EV Root CA-1" and remove it. Then access Github again vía Safari.

Try whatever git operation after that and it should work.

Hope it helps.

frandevel
  • 168
  • 3
  • 9
    Deleting did not help me on OSX Mavericks. What ended up working, for me, was (inspired by [this tweet](https://twitter.com/digicert/status/438733364896346112)) visiting [DigiCert Trusted Root Authority Certificates](https://www.digicert.com/digicert-root-certificates.htm); I downloaded `DigiCert High Assurance EV Root CA` and then dragged/dropped into my Keychain "Certifcates" window view. Just thought I'd mention in case others are in same boat … I think deleting the cert caused me some headache. – mhulse Jul 26 '14 at 20:41
  • 1
    @mhulse thanks man. You should add it as answer to this question. – msk Jul 28 '14 at 05:23
  • Thanks for kick in pants @frandevel! Oddly enough, I just had this problem happen to me on my work computer!!! Based on tips from this [Homebrew GitHub issue](https://github.com/Homebrew/homebrew/issues/28844), I think I found an [easy solution](http://superuser.com/a/789331/201992). Much appreciated. :) – mhulse Jul 28 '14 at 21:56
  • Looks like your answer should maybe specify that one should delete the "expired" version of the certificate. I think that's where I had problems (I accidentally deleted the non-expired cert). Thanks again for sharing an answer! – mhulse Jul 28 '14 at 22:02
4

EDIT: Looks like @craigb's answer is the same solution. I'll leave my answer here because it links to official blog posting on how to fix and has a screen shot.

Using GitHub for Mac on OS X Mavericks, out of the blue, on my laptop and my work computer, I started getting the below errors …

Here's the error I got for cloning:

warning: templates not found /Applications/GitHub.app/Contents/Resources/git/templates fatal: unable to access 'https://github.com/mhulse/xxxxxx.git/': SSL certificate problem: Invalid certificate chain (128)

… and here's the error I get for syncing:

fatal: unable to access 'https://github.com/mhulse/xxxxxx.git/': SSL certificate problem: Invalid certificate chain (128)

Long story short, I just found this post which has this explanation and fix:

The expired certificate in question is the “DigiCert High Assurance EV Root CA” [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.

...

OS X users can resolve the issue by deleting the certificate from their Login keystore using Keychain Access.

Here's a 4-step fix:

In Keychain Access go to View -> Show Expired Certs and search for ‘DigiCert High” to find the DigiCert High Assurance EV Root CA that expired on July 26, 2014. Delete this certificate and close Keychain Access.

fix keychain access

That fixed the problem for me!

Community
  • 1
mhulse
  • 149
  • 1
  • 5
0

Thought I should mention this: I recently had to update curl, wget and openssl for some Linux boxes, in order to use the TLS-1.2 crypto stuff (old default was TLS 1.0). Fired up the Macbook, & I got error with "git clone" also. But SSL/TLS is OK there. Git said: "fatal: unable to access '': SSL certificate problem: Invalid certificate chain". Tried everything above, deleted expired certs from system keychain, etc., but still error msg from git clone attempts. Went thru a real exercise checking everything. Finally I noticed in the MacOS keychain.app prgm, that a 2015 certificate and a 2017 cert were both showing as not expired.

Turns out the Macbook system date was set to "Feb. 2015" (current date is Feb. 20, 2020!) Once I just reset the laptop's date, "git clone" and "git pull" worked fine. (Just click on date, on top right screen, select: "Open Date/Time Preference", and set your machine date to update automatically by checking the box. I had a self-signed cert that had expired in 2017 or something, and I think I might have set the date back, to get something from Apple, related to their Developer Account stuff. This is such a silly mistake. Always make sure the landing gear is down, before landing.

gemesyscanada
  • 111
  • 1
-2

In my case, adding or removing intermediate certs is not enough to solve the problem. I had to remove all certificates by unknown authority in the Login Keychains. It isn't shown by the icon, you have to highlight each one to see something like this:

this picture

These certs were added when you click "Continue" to a browser warning. Hope this additional info helps.

8bittree
  • 2,900
  • 1
  • 17
  • 28
Dida
  • 101