This error means your CA root certificate is out of date. If your CA root certificate needs to be updated, you won’t be able to push or pull from GitHub repositories.
The error you receive may look like the following:
$ git push -u github.main
> fatal: 'github.main' does not appear to be a git repository
> fatal: The remote end hung up unexpectedly
$ git pull -u github
> error: SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/tqisjim/google-oauth.git/info/refs
> fatal: HTTP request failedA «CA» is shorthand for a «certificate authority,» a third-party group responsible for handling secure connections around the web. They establish digital «certificates,» which are a way of ensuring that there are valid connections between two machines (like your computer and GitHub.com). Without a certificate, the security risk between two machines is greater.
When you receive this error, it likely means that your CA is out-of-date and needs to be updated. Generally, updating your operating system also updates your CA, and solves the problem.
если вы зарегистрированы на github-е и публичная часть вашего ключа добавлена в учётную запись, то можно соединяться с github-ом по протоколу ssh.
ссылку на репозиторий можно получить на странице репозитория (см. справа: «You can clone with HTTPS, SSH, or Subversion») либо, уже имея http-ссылку, преобразовать её в ssh-ссылку, заменив https:// на git@ и первый слэш после адреса сайта — на двоеточие. пример:
https://github.com/owncloud/android.git
git@github.com:owncloud/android.git
если репозиторий уже склонирован, и требуется лишь подправить ссылку, то это можно сделать примерно такой командой:
$ git remote set-url origin <ссылка>
посмотреть свои публичные ключи, закреплённые за учётной записью на github-е можно на соответствующей странице настроек.
I am running Gitblit on a Windows Server and am trying to push data to a repository from another machine on the network. I have used a SSL certificate (not self signed, but I think signed by my company? Not really sure how that works but Chrome, IE, etc. see it is identity verified).
The server that runs Gitblit is named itscm and on the developer’s desktop I am using this URL to push data via TortoiseGit:
git.exe push --progress "https://itscm:8234/git/TestRepo.git" master
However, I get this error:
fatal: unable to access ‘https://itscm:8234/git/TestRepo.git/’: SSL certificate problem: self signed certificate in certificate chain
When I go to that address in chrome, I get a 404 on the page, BUT I can see that the padlock in the URL bar is green. When I click the padlock I see that the identity is verified. I don’t understand how my browser sees this certificate as valid but when I try to push data to it via Git, it fails.
asked Oct 16, 2013 at 20:46
5
Git for Windows has its own trust store of trusted certificates which is normally located in the file
- Git for Windows <=1.9:
[Git installdir]bincurl-ca-bundle.crt(e.g.,C:Program Files (x86)Gitbincurl-ca-bundle.crt; configured by the keyhttp.sslCAinfoin[Git installdir]etcgitconfig). - Git for Windows >= 2.0:
[Git installdir]mingwXXsslcertsca-bundle.crtwhereXXstands for32or64(e.g.,C:Program FilesGitmingw64sslcertsca-bundle.crt; configured by the keyhttp.sslCAinfoin git config, e.g.C:Program FilesGitetcor your global/local config).
Disabling checking of certificates (e.g., by setting git config http.sslVerify false) is not a good idea and might be extremely dangerous (as all security checks are disabled and MitM attacks are easily possible — depending where this is set it applies for all new https connections).
In order to add a certificate (may it be a self-signed one or another root certificate) to this trust store in order to automatically trust it, you have to perform the following steps (the first five steps are just to gather the certificate, this can also be done with your favorite browser, but might require different tasks):
-
Open the URL of the site in Microsoft Edge
-
Click on the lock symbol in the local bar and choose «Connection is safe» and then click on the certificate symbol.
-
(Optional) Select the certificate you want to trust on the certificate chain (third tab) and open it
-
Go to the second tab «Details»
-
Click on «Save to file», choose «Base64-encoded X.509 (.CER)» and save it with a unique name (remember that name; a name w/o spaces is recommended).
-
Now you have several options
- Use a separate certificate trust store which only contains your just downloaded cert, by executing
git config --global http.sslCAinfo "[yourfilename]"in a cli shell in order to only use this certificate as the trust store. - Use a separate certificate trust store which contains your just downloaded cert and all certificates from the git trust store, by appending all content from the system trust store file (path see above) and then execute
git config --global http.sslCAinfo "[yourfilename]"in a cli shell in order to use this new trust store. - Update the system certificate file, by appending the content of your just saved file to
[path-to-git-trust-store-crt-file](e.g. bytype [yourfilename] >> [path-to-git-trust-store-crt-file]in a cli shell running with administrative rights) OR using notepad (make a copy of the ca-bundle.crt file on desktop, append the content of the downlaoded .crt file and then copy it back). Disadvantage: changes might get overwritten on git update
- Use a separate certificate trust store which only contains your just downloaded cert, by executing
Done. Now, this certificate is in the trust store of Git for Windows.
Recent versions of Git for Windows can use also Windows certificate store which might be more convenient in a corporate environment. This can be configured on installation.
answered Sep 30, 2014 at 19:33
MrTuxMrTux
32.1k30 gold badges108 silver badges146 bronze badges
5
TortoiseGit is probably not using the same truststore Chrome. I think Chrome uses the system store, Firefox uses it’s own. I have no idea what TortoiseGit uses.
On the client, if you set git config http.sslVerify false you may have more luck. You can also set this globally.
answered Oct 16, 2013 at 21:28
James MogerJames Moger
1,72112 silver badges12 bronze badges
5
Here is what worked for me. Create a folder C:GitCerts. Then download the Base64 .cer file (follow the answer provided by MrTux) to this C:GitCerts folder.
- From command line run the following command:
git config --global http.sslCAinfo "C:GitCertsMyCert.cer" - Open the
MyCert.cerfile in Notepad and leave it open - Open the Git
ca-bundle.crtfile in another Notepad. Mine was in the locationC:Program FilesGitmingw64sslcertsca-bundle.crt. - Verify the cert text in the
MyCert.cerfile is in theca-bundle.crtfile (it should be), if not just copy and paste all the text from MyCert.cer and append it at the bottom of the ca-bundle.crt file (make sure you leave all the other cert information in there).
——BEGIN CERTIFICATE——
your cert info here
——END CERTIFICATE——
- If you had to modify the ca-bundle.crt file then save it (you may have to save it to your Desktop and then copy and paste it back in to overwrite the
ca-bundle.crtfile) - Finally, based on the path of your
ca-bundle.crtfile run the following command:git config --global http.sslcainfo "C:Program FilesGitmingw64sslcertsca-bundle.crt"
answered Apr 7, 2016 at 20:41
dan-ieldan-iel
8018 silver badges4 bronze badges
2
I experienced this error using GitHub and it seemingly came out of nowhere. I had done plenty of work on GitHub before.
Kaspersky anti-virus was the culprit!!
When I turned off my anti-virus protection (and waited a couple of minutes) I was able to push / pull from my github repo.
My final solution was to locate a certificate from Kaspersky then add it to the Git for Windows trust store. The latter step is already detailed in the accepted answer, but for anyone else in a similar position I was able to locate the Kaspersky certificate by going to:
Settings > Additional > Network > Encrypted connections scanning — Advanced Settings > Install Certificate > Show Certificate > Details > Copy to File > Base-64 encoded X.509 (.cer)
answered Sep 29, 2018 at 19:30
For those in a corporates, who get the self signed certificate error — below is an alternative.
In corporates, the same git server, that is accessible over https protocol, usually will also be accessible over ssh protocol. So choose the ssh option of server url and clone the repository as
git clone user@server/project.git
Of course, the public key( id_rsa.pub ) from your ~.ssh folder will have to added to server. This way you don’t have add the https server certificate to your windows certificate store or mac keychain ( example ).
answered Dec 27, 2014 at 12:11
kiranpradeepkiranpradeep
10.8k4 gold badges49 silver badges80 bronze badges
I found one more answer for this issue :
$ git config http.sslVerify false
answered Jan 30, 2019 at 8:02
KarthikeyanKarthikeyan
1,8876 gold badges42 silver badges105 bronze badges
3
I had the same problem because my laptop died and the clock reset to its default settings. If that’s the case for you, set your clock to the current date and time and the problem should be fixed.
If your clock is set properly, follow what other people are recommending.
answered Sep 9, 2020 at 2:37
I’ve had a similar problem, the error was «certificate has expired». After realizing that git uses own CA store I just updated Git and problem gone.
P.S. BTW, recent Git for Windows can use Windows certificate store which can be more convenient in a corporate environment.
answered Dec 9, 2020 at 15:22
o.vo.v
82510 silver badges15 bronze badges
If it’s working previously and suddenly it stopped working with an SSL error then try to restart your system once. This way it worked for me
answered Dec 29, 2020 at 11:20
Neha JainNeha Jain
2092 silver badges5 bronze badges
I got the same error as I’m connecting through an insecure network. Switching the network resolved my issue.
answered Feb 20, 2021 at 6:54
novicenovice
4414 silver badges11 bronze badges
What is the ‘ssl certificate problem unable to get local issuer certificate’ error
The unable to get local issuer certificate is a common issue faced by developers when trying to push, pull, or clone a git repository using Git Bash, a command-line tool specific to Windows.
The unable to get local issuer certificate error often occurs when the Git server’s SSL certificate is self-signed. The issue with self-signed certificates is that the private key associated with them cannot be revoked, making it a security vulnerability.
Alternatively, it can be due to incorrect configuration for Git on your system or when using git inside Visual Studio Code (VS Code) terminal.
What causes ‘ssl certificate problem unable to get local issuer certificate’
The unable to get local issuer certificate error is caused by the misconfiguration of the SSL certificate on your local machine. When pushing, pulling, or cloning, Git cannot verify your SSL certification, which leads to the error.
A valid HTTPS handshake requires both the client and the server to create a secure connection, allowing for safe communication between your local machine and where the source code is hosted. When the SSL certificate cannot be verified, Git cannot complete the HTTPS handshake with the server that hosts the repository.
When the unable to get local issuer certificate error occurs in VS Code, it is often because Visual Studio cannot locate the SSL certificate. This may be due to the path being misconfigured on the local machine.
How can you fix ‘ssl certificate problem unable to get local issuer certificate errors’
When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store.
By default, the trusted certificate store is located in the following directory for Git Bash:
C:Program FilesGitmingw64sslcerts
Open the file ca-bundle.crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file. Once completed, save the file and run your git pull, push, or clone command.
Disabling SSL certificate validation is not recommended for security purposes. However, it is an option for fixing the ssl certificate problem unable to get local issuer certificate error.
You can disable SSL certificate validation locally in Git using the following command:
$ git -c http.sslVerify=false clone [URL]
You can also disable SSL certificate validation at a global level using the following command:
$ git config --global http.sslVerify false
To re-enable SSL certificate validation, use the following command:
$ git config --global http.sslVerify true
Another method for fixing the ssl certificate problem unable to get local issuer certificate error is to reinstall Git and choose the SSL transport backend option during the installation process.
If the unable to get local issuer certificate error occurs inside Visual Studio Code, you need to grant your repository access to the SSL certificates. To do this, git can be reconfigured with the --global flag on your SSL certificate configuration. This will give the Git server accessibility to the required SSL certificate.
To do this, run the following command in the Terminal:
git config --global http.sslBackend schannel
Accessibility to SSL certificate verification can also be set at the system level. To do this, you must be running in administrator mode before executing the following command:
git config --system http.sslBackend schannel
If the unable to get local issuer certificate error in Visual Studio Code is not due to accessibility but a location misconfiguration, this can be fixed by reassigning the path. This can be done through the following command:
git config --global http.sslcainfo "Path"
How to prevent ‘ssl certificate problem unable to get local issuer certificate’ errors
The main purpose of a SSL certificate is to confirm authentication so that the information passed between client and server is secure. When an unable to get local issuer certificate error occurs, a secure connection cannot be established, and the git client rejects your attempt to push, pull, or clone a repository for security reasons.
While disabling SSL certificates altogether is an option and common fix, it is not recommended. It opens up a security vulnerability for your repository and your local machine. Nevertheless, you can negate the unable to get local issuer certificate error by disabling SSL certificates at a local and global level. If SSL certificates are disabled at a global level, it is good to always enable them again so that other projects are not impacted by the intentional security disablement.
To prevent the error, ensure that you have a valid SSL certificate in your certificate store. Alternatively, you can reinstall your Git Bash with SSL Transport backend selected during the installation process.
If you are using Git via Visual Studio Code and have a valid SSL certificate in your certificate store but still encounter the certificate problem error, use the --global flag on your SSL certificate configuration to grant the Git server accessibility.
Kubernetes Troubleshooting With Komodor
We hope that the guide above helps you better understand the troubleshooting steps you need to take in order to fix the unable to get local issuer certificate error.
Keep in mind that this is just one of many Git errors that can pop up in your k8s logs and cause the system to fail. Due to the complex and distributed nature of k8s, the search for the root cause of each such failure can be stressful, disorienting, and time-consuming.
Komodor is a Kubernetes troubleshooting platform that turns hours of guesswork into actionable answers in just a few clicks. Using Komodor, you can monitor, alert and troubleshoot incidents in your entire K8s cluster.
For each K8s resource, Komodor automatically constructs a coherent view, including the relevant deploys, config changes, dependencies, metrics, and past incidents. Komodor seamlessly integrates and utilizes data from cloud providers, source controls, CI/CD pipelines, monitoring tools, and incident response platforms.
- Discover the root cause automatically with a timeline that tracks all changes made in your application and infrastructure.
- Quickly tackle the issue, with easy-to-follow remediation instructions.
- Give your entire team a way to troubleshoot independently, without having to escalate.
Unable to access SSL certificate fix
You may run into the Git ‘unable to access GitHub or GitLab’ SSL certificate settings error when attempting to clone a repository. There’s a quick fix you can run at the command line:
git config --global http.sslverify "false"
That will turn off SSL during the git clone operation and allow you to push and pull back and forth to your server.
Of course, with SSL turned off, your secrets may not be safe. Any old packet sniffer on the network might capture your git clone operation and discover your organization’s commit history. So be sure you’re not violating any security policies of your organizations when you do this. But if it’s just a public project you’re cloning, I wouldn’t worry too much about SSL.