Cannot authenticate to GitHub with the git CLI

I’m having trouble fetching repositories via HTTPS with the git CLI (version: git version 2.29.0.windows.1). However, I can work with these very same repositories leveraging SSH, so its
not a permissions issue.

My account is part of an enterprise organization that requires 2FA.
Thus, I’ve already created a PAT and enabled 2FA.

The token is working as expected, and I can use it without a problem
with the GitHub CLI, cURL, etc.

So, given the following setup:

$ git init
$ git remote add origin https://github.com/<owner>/<repo> # Redacted owner & repo
$ git config --local http.sslVerify false # Our corporate proxy messes with certificates
$ git config --local http.https://github.com/.extraHeader 'Authorization: Basic <base64-encoded-creds>' # Redacted base64 encoded '<username>:PAT' string
$ git config --local credential.interactive false # Disable GCM (see reason at the end)

There is also a ‘git-ask-pass’ executable (chmod +x) script that provides the username and PAT as required in the directory.

Then when executing:

GIT_ASKPASS="./git-ask-pass" git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin '+refs/heads/pipeline*:refs/remotes/origin/pipeline*' '+refs/tags/pipeline*:refs/tags/pipeline*'

I get the following:

11:55:31.305156 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/bin
11:55:31.309145 git.c:444               trace: built-in: git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin '+refs/heads/pipeline*:refs/remotes/origin/pipeline*' '+refs/tags/pipeline*:refs/tags/pipeline*'
11:55:31.310142 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://github.com/<owner>/<repo>
11:55:31.398906 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/libexec/git-core
11:55:31.401898 git.c:729               trace: exec: git-remote-https origin https://github.com/<owner>/<repo>
11:55:31.401898 run-command.c:663       trace: run_command: git-remote-https origin https://github.com/<owner>/<repo>
11:55:31.511636 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/libexec/git-core
11:55:31.558477 http.c:774              == Info: Couldn't find host github.com in the .netrc file; using defaults
11:55:31.559474 http.c:774              == Info:   Trying <corporate-proxy>:8080...
11:55:31.582413 http.c:774              == Info: Connected to <corporate-proxy> (<corporate-proxy>) port 8080 (#0)
11:55:31.582413 http.c:774              == Info: allocate connect buffer!
11:55:31.582413 http.c:774              == Info: Establish HTTP proxy tunnel to github.com:443
11:55:31.582413 http.c:721              => Send header, 0000000121 bytes (0x00000079)
11:55:31.583410 http.c:733              => Send header: CONNECT github.com:443 HTTP/1.1
11:55:31.583410 http.c:733              => Send header: Host: github.com:443
11:55:31.583410 http.c:733              => Send header: User-Agent: git/2.29.0.windows.1
11:55:31.583410 http.c:733              => Send header: Proxy-Connection: Keep-Alive
11:55:31.583410 http.c:733              => Send header:
11:55:31.596375 http.c:721              <= Recv header, 0000000044 bytes (0x0000002c)
11:55:31.596375 http.c:733              <= Recv header: HTTP/1.1 407 Proxy Authentication Required
11:55:31.596375 http.c:721              <= Recv header, 0000000031 bytes (0x0000001f)
11:55:31.596375 http.c:733              <= Recv header: Proxy-Authenticate: NEGOTIATE
11:55:31.597373 http.c:721              <= Recv header, 0000000026 bytes (0x0000001a)
11:55:31.597373 http.c:733              <= Recv header: Proxy-Authenticate: NTLM
11:55:31.600366 http.c:721              <= Recv header, 0000000042 bytes (0x0000002a)
11:55:31.600366 http.c:733              <= Recv header: Proxy-Authenticate: BASIC realm="SGT_DA"
11:55:31.600366 http.c:721              <= Recv header, 0000000025 bytes (0x00000019)
11:55:31.600366 http.c:733              <= Recv header: Cache-Control: no-cache
11:55:31.600366 http.c:721              <= Recv header, 0000000018 bytes (0x00000012)
11:55:31.600366 http.c:733              <= Recv header: Pragma: no-cache
11:55:31.600366 http.c:721              <= Recv header, 0000000040 bytes (0x00000028)
11:55:31.600366 http.c:733              <= Recv header: Content-Type: text/html; charset=utf-8
11:55:31.600366 http.c:721              <= Recv header, 0000000025 bytes (0x00000019)
11:55:31.600366 http.c:733              <= Recv header: Proxy-Connection: close
11:55:31.600366 http.c:721              <= Recv header, 0000000019 bytes (0x00000013)
11:55:31.600366 http.c:733              <= Recv header: Connection: close
11:55:31.600366 http.c:721              <= Recv header, 0000000022 bytes (0x00000016)
11:55:31.600366 http.c:733              <= Recv header: Content-Length: 3567
11:55:31.600366 http.c:721              <= Recv header, 0000000002 bytes (0x00000002)
11:55:31.600366 http.c:733              <= Recv header:
11:55:31.600366 http.c:774              == Info: Ignore 3567 bytes of response-body
11:55:31.608374 http.c:774              == Info: Connect me again please
11:55:31.608374 http.c:774              == Info: CONNECT phase completed!
11:55:31.608374 http.c:774              == Info: Empty reply from server
11:55:31.608374 http.c:774              == Info: Connection #0 to host <corporate-proxy> left intact
11:55:31.608374 http.c:774              == Info: Couldn't find host github.com in the .netrc file; using defaults
11:55:31.608374 http.c:774              == Info: Found bundle for host github.com: 0x4291890 [serially]
11:55:31.608374 http.c:774              == Info: Server doesn't support multiplex (yet)
11:55:31.608374 http.c:774              == Info: Connection #0 isn't open enough, can't reuse
11:55:31.608374 http.c:774              == Info: Hostname <corporate-proxy> was found in DNS cache
11:55:31.608374 http.c:774              == Info:   Trying <corporate-proxy>:8080...
11:55:31.628290 http.c:774              == Info: Connected to <corporate-proxy> (<corporate-proxy>) port 8080 (#1)
11:55:31.628290 http.c:774              == Info: allocate connect buffer!
11:55:31.628290 http.c:774              == Info: Establish HTTP proxy tunnel to github.com:443
11:55:31.628290 http.c:774              == Info: Proxy auth using Negotiate with user 'n222244'
11:55:31.628290 http.c:721              => Send header, 0000000210 bytes (0x000000d2)
11:55:31.628290 http.c:733              => Send header: CONNECT github.com:443 HTTP/1.1
11:55:31.628290 http.c:733              => Send header: Host: github.com:443
11:55:31.628290 http.c:733              => Send header: Proxy-Authorization: Negotiate <redacted>
11:55:31.628290 http.c:733              => Send header: User-Agent: git/2.29.0.windows.1
11:55:31.628290 http.c:733              => Send header: Proxy-Connection: Keep-Alive
11:55:31.628290 http.c:733              => Send header:
11:55:31.638263 http.c:721              <= Recv header, 0000000044 bytes (0x0000002c)
11:55:31.638263 http.c:733              <= Recv header: HTTP/1.1 407 Proxy Authentication Required
11:55:31.639261 http.c:721              <= Recv header, 0000000292 bytes (0x00000124)
11:55:31.639261 http.c:733              <= Recv header: Proxy-Authenticate: NEGOTIATE [REDACTED]
11:55:31.639261 http.c:721              <= Recv header, 0000000025 bytes (0x00000019)
11:55:31.640258 http.c:733              <= Recv header: Cache-Control: no-cache
11:55:31.640258 http.c:721              <= Recv header, 0000000018 bytes (0x00000012)
11:55:31.640258 http.c:733              <= Recv header: Pragma: no-cache
11:55:31.640258 http.c:721              <= Recv header, 0000000040 bytes (0x00000028)
11:55:31.640258 http.c:733              <= Recv header: Content-Type: text/html; charset=utf-8
11:55:31.640258 http.c:721              <= Recv header, 0000000030 bytes (0x0000001e)
11:55:31.640258 http.c:733              <= Recv header: Proxy-Connection: Keep-Alive
11:55:31.640258 http.c:721              <= Recv header, 0000000024 bytes (0x00000018)
11:55:31.640258 http.c:733              <= Recv header: Connection: Keep-Alive
11:55:31.640258 http.c:721              <= Recv header, 0000000022 bytes (0x00000016)
11:55:31.640258 http.c:733              <= Recv header: Content-Length: 3584
11:55:31.640258 http.c:721              <= Recv header, 0000000002 bytes (0x00000002)
11:55:31.640258 http.c:733              <= Recv header:
11:55:31.640258 http.c:774              == Info: Ignore 3584 bytes of response-body
11:55:31.643250 http.c:774              == Info: Establish HTTP proxy tunnel to github.com:443
11:55:31.643250 http.c:774              == Info: Proxy auth using Negotiate with user 'n222244'
11:55:31.643250 http.c:721              => Send header, 0000000778 bytes (0x0000030a)
11:55:31.643250 http.c:733              => Send header: CONNECT github.com:443 HTTP/1.1
11:55:31.643250 http.c:733              => Send header: Host: github.com:443
11:55:31.643250 http.c:733              => Send header: Proxy-Authorization: Negotiate <redacted>
11:55:31.643250 http.c:733              => Send header: User-Agent: git/2.29.0.windows.1
11:55:31.643250 http.c:733              => Send header: Proxy-Connection: Keep-Alive
11:55:31.643250 http.c:733              => Send header:
11:55:31.657212 http.c:721              <= Recv header, 0000000037 bytes (0x00000025)
11:55:31.657212 http.c:733              <= Recv header: HTTP/1.1 200 Connection established
11:55:31.657212 http.c:721              <= Recv header, 0000000002 bytes (0x00000002)
11:55:31.657212 http.c:733              <= Recv header:
11:55:31.657212 http.c:774              == Info: Proxy replied 200 to CONNECT request
11:55:31.657212 http.c:774              == Info: CONNECT phase completed!
11:55:31.658210 http.c:774              == Info: ALPN, offering h2
11:55:31.658210 http.c:774              == Info: ALPN, offering http/1.1
11:55:31.670178 http.c:774              == Info: successfully set certificate verify locations:
11:55:31.670178 http.c:774              == Info:  CAfile: C:/Development/tools/Git/mingw64/ssl/certs/ca-bundle.crt
11:55:31.670178 http.c:774              == Info:  CApath: none
11:55:31.670178 http.c:774              == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
11:55:31.670178 http.c:774              == Info: CONNECT phase completed!
11:55:31.670178 http.c:774              == Info: CONNECT phase completed!
11:55:31.757134 http.c:774              == Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
11:55:31.765979 http.c:774              == Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
11:55:31.765979 http.c:774              == Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
11:55:31.767000 http.c:774              == Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
11:55:31.767000 http.c:774              == Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
11:55:31.767000 http.c:774              == Info: TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
11:55:31.767000 http.c:774              == Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
11:55:31.777946 http.c:774              == Info: TLSv1.2 (IN), TLS handshake, Finished (20):
11:55:31.777946 http.c:774              == Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
11:55:31.777946 http.c:774              == Info: ALPN, server did not agree to a protocol
11:55:31.777946 http.c:774              == Info: Server certificate:
11:55:31.777946 http.c:774              == Info:  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
11:55:31.777946 http.c:774              == Info:  start date: Mar 25 00:00:00 2021 GMT
11:55:31.777946 http.c:774              == Info:  expire date: Mar 30 23:59:59 2022 GMT
11:55:31.777946 http.c:774              == Info:  issuer: <corporate-proxy-details>
11:55:31.777946 http.c:774              == Info:  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
11:55:31.777946 http.c:721              => Send header, 0000000450 bytes (0x000001c2)
11:55:31.777946 http.c:733              => Send header: GET /<owner>/<repo>/info/refs?service=git-upload-pack HTTP/1.1
11:55:31.777946 http.c:733              => Send header: Host: github.com
11:55:31.777946 http.c:733              => Send header: User-Agent: git/2.29.0.windows.1
11:55:31.777946 http.c:733              => Send header: Accept: */*
11:55:31.777946 http.c:733              => Send header: Accept-Encoding: deflate, gzip, br, zstd
11:55:31.777946 http.c:733              => Send header: Authorization: Basic <redacted>
11:55:31.777946 http.c:733              => Send header: Pragma: no-cache
11:55:31.777946 http.c:733              => Send header: Git-Protocol: version=2
11:55:31.777946 http.c:733              => Send header:
11:55:31.980914 http.c:774              == Info: Mark bundle as not supporting multiuse
11:55:31.980914 http.c:721              <= Recv header, 0000000037 bytes (0x00000025)
11:55:31.980914 http.c:733              <= Recv header: HTTP/1.1 401 Authorization Required
11:55:31.980914 http.c:721              <= Recv header, 0000000026 bytes (0x0000001a)
11:55:31.980914 http.c:733              <= Recv header: Server: GitHub Babel 2.0
11:55:31.980914 http.c:721              <= Recv header, 0000000026 bytes (0x0000001a)
11:55:31.980914 http.c:733              <= Recv header: Content-Type: text/plain
11:55:31.980914 http.c:721              <= Recv header, 0000000054 bytes (0x00000036)
11:55:31.980914 http.c:733              <= Recv header: Content-Security-Policy: default-src 'none'; sandbox
11:55:31.980914 http.c:721              <= Recv header, 0000000020 bytes (0x00000014)
11:55:31.980914 http.c:733              <= Recv header: Content-Length: 21
11:55:31.980914 http.c:721              <= Recv header, 0000000040 bytes (0x00000028)
11:55:31.980914 http.c:733              <= Recv header: www-authenticate: Basic realm="GitHub"
11:55:31.980914 http.c:721              <= Recv header, 0000000023 bytes (0x00000017)
11:55:31.980914 http.c:733              <= Recv header: X-Frame-Options: DENY
11:55:31.980914 http.c:721              <= Recv header, 0000000057 bytes (0x00000039)
11:55:31.980914 http.c:733              <= Recv header: X-GitHub-Request-Id: 7201:2D75:35F1846:3809A38:607D5393
11:55:31.980914 http.c:721              <= Recv header, 0000000033 bytes (0x00000021)
11:55:31.980914 http.c:733              <= Recv header: Cache-Control: proxy-revalidate
11:55:31.980914 http.c:721              <= Recv header, 0000000030 bytes (0x0000001e)
11:55:31.980914 http.c:733              <= Recv header: Proxy-Connection: Keep-Alive
11:55:31.980914 http.c:721              <= Recv header, 0000000024 bytes (0x00000018)
11:55:31.980914 http.c:733              <= Recv header: Connection: Keep-Alive
11:55:31.981606 http.c:721              <= Recv header, 0000000048 bytes (0x00000030)
11:55:31.981606 http.c:733              <= Recv header: Set-Cookie: BCSI-CS-3bfebe184ea8e02c=1; Path=/
11:55:31.981606 http.c:721              <= Recv header, 0000000045 bytes (0x0000002d)
11:55:31.981606 http.c:733              <= Recv header: Proxy-support: Session-based-authentication
11:55:31.981606 http.c:721              <= Recv header, 0000000037 bytes (0x00000025)
11:55:31.981606 http.c:733              <= Recv header: Date: Mon, 19 Apr 2021 09:55:31 GMT
11:55:31.981606 http.c:721              <= Recv header, 0000000002 bytes (0x00000002)
11:55:31.981606 http.c:733              <= Recv header:
11:55:31.981606 http.c:774              == Info: Connection #1 to host <corporate-proxy> left intact
11:55:31.981606 run-command.c:663       trace: run_command: 'git credential-manager-core get'
11:55:32.204036 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/libexec/git-core
11:55:32.206999 git.c:729               trace: exec: git-credential-manager-core get
11:55:32.206999 run-command.c:663       trace: run_command: git-credential-manager-core get
fatal: Cannot prompt because user interactivity has been disabled.
11:55:40.567901 run-command.c:663       trace: run_command: ./git-ask-pass 'Username for '\''https://github.com'\'': '
11:55:40.846129 run-command.c:663       trace: run_command: ./git-ask-pass 'Password for '\''https://<username>@github.com'\'': '
11:55:41.141684 http.c:774              == Info: Found bundle for host github.com: 0x4291890 [serially]
11:55:41.141684 http.c:774              == Info: Can not multiplex, even if we wanted to!
11:55:41.141684 http.c:774              == Info: Connection #0 isn't open enough, can't reuse
11:55:41.141684 http.c:774              == Info: Re-using existing connection! (#1) with proxy <corporate-proxy>
11:55:41.141684 http.c:774              == Info: Connected to <corporate-proxy> (<corporate-proxy>) port 8080 (#1)
11:55:41.141684 http.c:721              => Send header, 0000000450 bytes (0x000001c2)
11:55:41.141684 http.c:733              => Send header: GET /<owner>/<repo>/info/refs?service=git-upload-pack HTTP/1.1
11:55:41.141684 http.c:733              => Send header: Host: github.com
11:55:41.141684 http.c:733              => Send header: User-Agent: git/2.29.0.windows.1
11:55:41.141684 http.c:733              => Send header: Accept: */*
11:55:41.141684 http.c:733              => Send header: Accept-Encoding: deflate, gzip, br, zstd
11:55:41.141684 http.c:733              => Send header: Authorization: Basic <redacted>
11:55:41.141684 http.c:733              => Send header: Authorization: Basic <redacted>
11:55:41.141684 http.c:733              => Send header: Pragma: no-cache
11:55:41.141684 http.c:733              => Send header: Git-Protocol: version=2
11:55:41.141684 http.c:733              => Send header:
11:55:41.292600 http.c:774              == Info: Mark bundle as not supporting multiuse
11:55:41.292600 http.c:721              <= Recv header, 0000000037 bytes (0x00000025)
11:55:41.292600 http.c:733              <= Recv header: HTTP/1.1 401 Authorization Required
11:55:41.292600 http.c:721              <= Recv header, 0000000026 bytes (0x0000001a)
11:55:41.292600 http.c:733              <= Recv header: Server: GitHub Babel 2.0
11:55:41.292600 http.c:721              <= Recv header, 0000000026 bytes (0x0000001a)
11:55:41.292600 http.c:733              <= Recv header: Content-Type: text/plain
11:55:41.292600 http.c:721              <= Recv header, 0000000054 bytes (0x00000036)
11:55:41.292600 http.c:733              <= Recv header: Content-Security-Policy: default-src 'none'; sandbox
11:55:41.292600 http.c:721              <= Recv header, 0000000020 bytes (0x00000014)
11:55:41.292600 http.c:733              <= Recv header: Content-Length: 21
11:55:41.292600 http.c:774              == Info: Authentication problem. Ignoring this.
11:55:41.292600 http.c:721              <= Recv header, 0000000040 bytes (0x00000028)
11:55:41.292600 http.c:733              <= Recv header: www-authenticate: Basic realm="GitHub"
11:55:41.292600 http.c:721              <= Recv header, 0000000023 bytes (0x00000017)
11:55:41.292600 http.c:733              <= Recv header: X-Frame-Options: DENY
11:55:41.292600 http.c:721              <= Recv header, 0000000057 bytes (0x00000039)
11:55:41.292600 http.c:733              <= Recv header: X-GitHub-Request-Id: 7201:2D75:35F23F9:380A645:607D539D
11:55:41.292600 http.c:721              <= Recv header, 0000000033 bytes (0x00000021)
11:55:41.292600 http.c:733              <= Recv header: Cache-Control: proxy-revalidate
11:55:41.292600 http.c:721              <= Recv header, 0000000030 bytes (0x0000001e)
11:55:41.292600 http.c:733              <= Recv header: Proxy-Connection: Keep-Alive
11:55:41.292600 http.c:721              <= Recv header, 0000000024 bytes (0x00000018)
11:55:41.292600 http.c:733              <= Recv header: Connection: Keep-Alive
11:55:41.292600 http.c:721              <= Recv header, 0000000048 bytes (0x00000030)
11:55:41.292600 http.c:733              <= Recv header: Set-Cookie: BCSI-CS-3bfebe184ea8e02c=1; Path=/
11:55:41.292600 http.c:721              <= Recv header, 0000000045 bytes (0x0000002d)
11:55:41.292600 http.c:733              <= Recv header: Proxy-support: Session-based-authentication
11:55:41.292600 http.c:721              <= Recv header, 0000000037 bytes (0x00000025)
11:55:41.292600 http.c:733              <= Recv header: Date: Mon, 19 Apr 2021 09:55:41 GMT
11:55:41.292600 http.c:721              <= Recv header, 0000000002 bytes (0x00000002)
11:55:41.292600 http.c:733              <= Recv header:
11:55:41.340970 http.c:774              == Info: Connection #1 to host <corporate-proxy> left intact
11:55:41.340970 run-command.c:663       trace: run_command: 'git credential-manager-core erase'
11:55:41.523455 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/libexec/git-core
11:55:41.526483 git.c:729               trace: exec: git-credential-manager-core erase
11:55:41.526483 run-command.c:663       trace: run_command: git-credential-manager-core erase
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/<owner>/<repo>/'

Regarding the GCM (although given the extraHeader configuration, it should not be used during the process), it causes issues in my machine. It opens a tab in a browser to log into GitHub, but it fails to complete the OAuth flow:

12:07:27.933514 run-command.c:663       trace: run_command: 'git credential-manager-core get'
12:07:28.250565 exec-cmd.c:237          trace: resolved executable dir: C:/Development/tools/Git/mingw64/libexec/git-core
12:07:28.253557 git.c:729               trace: exec: git-credential-manager-core get
12:07:28.253557 run-command.c:663       trace: run_command: git-credential-manager-core get
warning: ┌──────────────── SECURITY WARNING ───────────────┐
warning: │ TLS certificate verification has been disabled! │
warning: └─────────────────────────────────────────────────┘
warning: HTTPS connections may not be secure. See https://aka.ms/gcmcore-tlsverify for more information.
fatal: incorrect_client_credentials: The client_id and/or client_secret passed are incorrect. [https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#incorrect-client-credentials]

Any clue about what’s going on?

1 Like

I forgot to mention that I experience the same weird behaviour on Linux machines. So it doesn’t seem to be a Windows-specific thing :stuck_out_tongue:

1 Like