Feel free to skip past this answer if you want to fix the certificates issue. This answer deals with tunneling ssh through the firewall which is IMHO a better solution to dealing with firewall/proxy thingies.

如果您想解决证书问题，请随意跳过此答案。这个答案涉及通过防火墙的隧道 ssh，恕我直言，这是处理防火墙/代理事物的更好解决方案。

There is a better way than using http access and that is to use the ssh service offered by github on port 443 of the ssh.github.com server.

有一种比使用 http 访问更好的方法，那就是在 ssh.github.com 服务器的端口 443 上使用 github 提供的 ssh 服务。

We use a tool called corkscrew. This is available for both CygWin (through setup from the cygwin homepage) and Linux using your favorite packaging tool. For MacOSX it is available from macports and brew at least.

我们使用一种叫做开瓶器的工具。这适用于 CygWin（通过从 cygwin 主页进行设置）和使用您最喜欢的打包工具的 Linux。对于 MacOSX，它至少可以从 macports 和 brew 获得。

The commandline is as follows :

命令行如下：

$ corkscrew <proxyhost> <proxyport> <targethost> <targetport> <authfile>

The proxyhost and proxyport are the coordinates of the https proxy. The targethost and targetport is the location of the host to tunnel to. The authfile is a textfile with 1 line containing your proxy server username/password separated by a colon

proxyhost 和 proxyport 是 https 代理的坐标。targethost 和 targetport 是要建立隧道的主机的位置。authfile 是一个文本文件，其中 1 行包含您的代理服务器用户名/密码，以冒号分隔

e.g:

例如：

abc:very_secret

Installation for using "normal" ssh protocol for git communication

使用“普通”ssh 协议进行 git 通信的安装

By adding this to the ~/.ssh/configthis trick can be used for normal ssh connections.

通过将此添加到此~/.ssh/config技巧，可以将其用于正常的 ssh 连接。

Host github.com
  HostName ssh.github.com
  Port 443
  User git
  ProxyCommand corkscrew <proxyhost> <proxyport> %h %p ~/.ssh/proxy_auth

now you can test it works by ssh-ing to gitproxy

现在你可以通过 ssh-ing 到 gitproxy 来测试它的工作原理

pti@pti-laptop:~$ ssh github.com
PTY allocation request failed on channel 0
Hi ptillemans! You've successfully authenticated, but GitHub does not provide shell access.
       Connection to github.com closed.
pti@pti-laptop:~$

(Note: if you never logged in to github before, ssh will be asking to add the server key to the known hosts file. If you are paranoid, it is recommended to verify the RSA fingerprint to the one shown on the github site where you uploaded your key).

（注意：如果你之前从未登录过github，ssh会要求将服务器密钥添加到已知的hosts文件中。如果你偏执，建议将RSA指纹验证为你所在的github站点上显示的指纹上传您的密钥）。

A slight variant on this method is the case when you need to access a repository with another key, e.g. to separate your private account from your professional account.

当您需要使用另一个密钥访问存储库时，例如将您的私人帐户与您的专业帐户分开时，此方法的一个轻微变体就是这种情况。

# 
# account dedicated for the ACME private github account 
#
Host acme.github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew <proxyhost> <3128> %h %p ~/.ssh/proxy_auth
  IdentityFile ~/.ssh/id_dsa_acme

enjoy!

请享用！

We've been using this for years now on both Linux, Macs and Windows.

我们多年来一直在 Linux、Mac 和 Windows 上使用它。

If you want you can read more about it in this blog post

如果你愿意，你可以在这篇博文中阅读更多关于它的信息

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

问题是您的系统上没有安装任何证书颁发机构证书。并且这些证书不能与 cygwin 的 setup.exe 一起安装。

Update: Install Net/ca-certificates package in cygwin(thanks dirkjot)

更新：在 cygwin 中安装 Net/ca-certificates 包（感谢 dirkjot）

There are two solutions:

有两种解决方案：

1. Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

   cacert.pemfile is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

   Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

   $ cd /usr/ssl/certs
   $ curl http://curl.haxx.se/ca/cacert.pem |
     awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
   $ c_rehash
   

   Important: In order to use c_rehashyou have to install openssl-perltoo.

2. Ignore SSL certificate verification.

   WARNING: Disabling SSL certificate verification has security implications.Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues andyour threat model before using this as a solution.

   $ env GIT_SSL_NO_VERIFY=true git clone https://github...
   

1. 实际安装根证书。Curl 家伙从 Mozilla 为您提取证书。

   cacert.pem文件就是你要找的。该文件包含 > 250 个 CA 证书（不知道如何信任这个数量的 ppl）。您需要下载此文件，将其拆分为单独的证书，将它们放入 /usr/ssl/certs（您的 CApath）并为其编制索引。

   这是如何做到的。使用 cygwin setup.exe install curl 和 openssl 包执行：

   $ cd /usr/ssl/certs
   $ curl http://curl.haxx.se/ca/cacert.pem |
     awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
   $ c_rehash
   

   重要提示：为了使用c_rehash您也必须安装openssl-perl。

2. 忽略 SSL 证书验证。

   警告：禁用 SSL 证书验证具有安全隐患。如果不验证 SSL/HTTPS 连接的真实性，恶意攻击者可以冒充受信任的端点（例如 GitHub 或其他一些远程 Git 主机），您将容易受到中间人攻击。在将其用作解决方案之前，请确保您完全了解安全问题和您的威胁模型。

   $ env GIT_SSL_NO_VERIFY=true git clone https://github...
   

Note: disabling SSL verification has security implications. It allows Man in the Middle attacks when you use Git to transfer data over a network. Be sure you fully understand the security implications before using this as a solution. Or better yet, install the root certificates.

注意：禁用 SSL 验证有安全隐患。当您使用 Git 通过网络传输数据时，它允许中间人攻击。在将其用作解决方案之前，请确保您完全了解安全隐患。或者更好的是，安装根证书。

One way is to disable the SSL CERT verification:

一种方法是禁用 SSL CERT 验证：

git config --global http.sslVerify false

This will prevent CURL to verity the HTTPS certification.

这将阻止 CURL 验证 HTTPS 认证。

For one repository only:

仅对于一个存储库：

git config http.sslVerify false

I wanted Git to use the updated certificate bundle without replacing the one my entire system uses. Here's how to have Git use a specific file in my home directory:

我希望 Git 使用更新的证书包而不替换我整个系统使用的证书包。以下是如何让 Git 使用我的主目录中的特定文件：

mkdir ~/certs
curl http://curl.haxx.se/ca/cacert.pem -o ~/certs/cacert.pem

Now update .gitconfigto use this for peer verification:

现在更新.gitconfig以使用它进行对等验证：

[http]
sslCAinfo = /home/radium/certs/cacert.pem

Note I'm using an absolute path. Git does no path expansion here, so you can't use ~without an ugly kludge. Alternatively, you can skip the config file and set the path via the environment variable GIT_SSL_CAINFOinstead.

注意我使用的是绝对路径。Git在这里没有路径扩展，所以你不能在没有~丑陋的kludge的情况下使用。或者，您可以跳过配置文件并通过环境变量设置路径GIT_SSL_CAINFO。

To troubleshoot this, set GIT_CURL_VERBOSE=1. The path of the CA file Git is using will be shown on lines starting with "CAfile:" in the output.

要解决此问题，请设置GIT_CURL_VERBOSE=1. Git 正在使用的 CA 文件的路径将显示在输出中以“CAfile:”开头的行上。

Note that for me to get this working (RVM install on CentOS 5.6), I had to run the following:

请注意，为了让我正常工作（在 CentOS 5.6 上安装 RVM），我必须运行以下命令：

export GIT_SSL_NO_VERIFY=true

export GIT_SSL_NO_VERIFY=true

and after that, the standard install procedure for curling the RVM installer into bash worked a treat :)

在那之后，将 RVM 安装程序卷入 bash 的标准安装程序工作得很好:)

A very simple solution: replace https:// with git://

一个非常简单的解决方案：将 https:// 替换为 git://

Use git://the.repository instead of https://the.repositoryand will work.

使用 git://the.repository 而不是https://the.repository并且会起作用。

I've had this problem on Windows with TortoiseGit and this solved it.

我在使用 TortoiseGit 的 Windows 上遇到了这个问题，这解决了它。

As the most popular answer (by Alexey Vishentsev) has it:

正如最受欢迎的答案（由 Alexey Vishentsev 提供）所言：

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

问题是您的系统上没有安装任何证书颁发机构证书。并且这些证书不能与 cygwin 的 setup.exe 一起安装。

However, that last assertion is false (now, or always has been, I don't know).

然而，最后一个断言是错误的（现在，或者一直是，我不知道）。

All you have to do is go to cygwin setup and include the package 'ca-certificates' (it is under Net). This did the trick for me.

您所要做的就是转到 cygwin setup 并包含包“ca-certificates”（它位于 Net 下）。这对我有用。

I know the original question lists Cygwin, but here is the solution for CentOS:

我知道最初的问题列出了 Cygwin，但这里是 CentOS 的解决方案：

curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Source: http://eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/

来源：http: //eric.lubow.org/2011/security/fixing-centos-root-certificate-authority-issues/

To clone on windows while setting SSL verify to false:

在将 SSL 验证设置为 false 的同时在 Windows 上进行克隆：

    git -c http.sslVerify=false clone http://example.com/e.git

If you want to clone withoutborfing your global settings.

如果您想在不修改全局设置的情况下进行克隆。

On CentOS 5.x, a simple yum update opensslupdated the openssl package which updated the system ca-bundle.crtfile and fixed the problem for me.

在 CentOS 5.x 上，一个简单的yum update openssl更新了 openssl 包，它更新了系统ca-bundle.crt文件并为我解决了问题。

The same may be true for other distributions.

对于其他分布可能也是如此。