Git "Failed to connect to github.com port 443" in CI
Git could not open the HTTPS connection to the remote at all. The TCP handshake to port 443 timed out or was refused - a network, proxy, or firewall problem rather than anything wrong with the repository.
What this error means
A clone or fetch over HTTPS fails with fatal: unable to access ...: Failed to connect to github.com port 443. When it is a transient blip it passes on a retry; when it is a firewall or proxy gap it fails every time from that runner.
fatal: unable to access 'https://github.com/org/repo.git/':
Failed to connect to github.com port 443 after 130000 ms:
Connection timed outCommon causes
Transient network drop
A brief connectivity blip between the runner and the remote causes the connection attempt to time out. Nothing is wrong with your repo or credentials - a retry usually succeeds.
Egress blocked by a firewall
A locked-down runner network may block outbound 443 to the host. Every attempt then fails identically until the firewall rule is changed.
A proxy is required but not configured
In corporate environments outbound traffic must go through an HTTP proxy. Without http.proxy/https_proxy set, Git tries to connect directly and times out.
How to fix it
Retry the transient failure
If the failure is intermittent, a short bounded retry around the clone clears most network blips.
for i in 1 2 3; do
git clone https://github.com/org/repo.git && break
echo "clone failed (attempt $i), retrying..."; sleep 5
doneConfigure the proxy
Point Git (and the environment) at the required proxy so outbound HTTPS is routed correctly.
git config --global http.proxy http://proxy.example.com:8080
export HTTPS_PROXY=http://proxy.example.com:8080Allow egress to the remote host
- Confirm the runner can reach the host:
curl -sS -o /dev/null -w "%{http_code}\n" https://github.com. - Open outbound 443 to the Git host in the firewall / security group.
- If only SSH egress is open, switch the remote to the SSH URL instead.
How to prevent it
- Allowlist the Git host on outbound 443 for CI runners.
- Set proxy variables centrally for runners behind a corporate proxy.
- Wrap clones in a bounded retry to absorb transient drops.