Git for Windows with TFS and SSL behind a proxy

If you run your TFS on prem and use git for windows you may run into two issues. The first occurs if you use SSL for your TFS. The second occurs if you are behind a proxy.

Use Git for Windows with a corporate SSL certificate

If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:

fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate

The solution is described in MSDN article. It is outdated that’s why I will explain it here. Export your root Certificate to a file. You can do this from within your browser. Open your TFS, click the lock symbol right to the url, and click view certificate. In the tab “Cerification Path” select the root and click view certificate again.

In the “Details” tab is a button to export the certificate. Use Base-64 encoded X.509 and save it to a file anywhere on your disk.

Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.

Now we have to configure git to use the new file:

git config global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

This will add the following entry to your .gitconfig file in the root of your user profile.

[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt Use Git for Windows behind a proxy

If you are behind a proxy, it is pretty easy and well documented how you configure git to use it. The problem is that after that you cannot access your local TFS server. For that to work you have to add an exception for your local URL.

Open the .gitconfig file in the root of your user profile. Locate the http section. If your TFS uses SSL and you followed step one you should already have an entry with an sslCAInfo item. Add the url of your TFS to the section had and add a new section without the url. Add a proxy item to both items. Leave it blank for the entry that has your TFS url in it.

[http] proxy = "http://httpproxy.contoso.com:2233" [http "https://tfs.contoso.com/tfs/"] proxy = "" sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

That’s it. Now you can work with repos in your company network and in the internet. This is true for all kind of git repos not only TFS.