Unable to resolve “unable to get local issuer certificate” using git on Windows with self-signed certificate

Open Git Bash and run the command if you want to completely disable SSL verification.

git config --global http.sslVerify false

Note: This solution may open you to attacks like man-in-the-middle attacks. Therefore turn on verification again as soon as possible:

git config --global http.sslVerify true

The problem is that git by default using the "Linux" crypto backend.

Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. This means that you it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v=vs.85).aspx

Just execute:

git config --global http.sslbackend schannel

That should helps.

Using schannel is by now the standard setting when installing git for windows, also it is recommended to not checkout repositories by SSH anmore if possible, as https is easier to configure and less likely to be blocked by a firewall it means less chance of failure.

I had this issue as well. In my case, I was trying to get a post-receive Git hook to update a working copy on a server with each push. Tried to follow the instructions in the blog you linked to. Didn't work for me as well and overriding the settings on a per-user basis didn't seem to work either.

What I ended up having to do was disable SSL verification (as the article mentions) for Git as a whole. Not the perfect solution, but it'll work until I can figure out a better one.

I edited the Git config text file (with my favorite line-ending neutral app like Notepad++) located at:

C:\Program Files (x86)\Git\etc\gitconfig

In the [http] block, I added an option to disable sslVerify. It looked like this when I was done:

[http]
    sslVerify = false
    sslCAinfo = /bin/curl-ca-bundle.crt

That did the trick.

NOTE:

• This disables SSL verification and is not recommended as a long term solution.

• You can disable this per-repository which still isn't great, but localizes the setting.

• With the advent of LetsEncrypt.org, it is now fairly simple, automated and free to set up SSL as an alternative to self-signed certs and negates the need to turn off sslVerify.

kiddailey I think was pretty close, however I would not disable ssl verification but rather rather just supply the local certificate:

In the Git config file

[http]
    sslCAinfo = /bin/curl-ca-bundle.crt

Or via command line:

git config --global http.sslCAinfo /bin/curl-ca-bundle.crt

I faced this issue as well. And finally got resolved by getting guidance from this MSDN Blog.

Update

Actually you need to add the certificate in git's certificates file curl-ca-bundel.cert that resides in Git\bin directory.

Steps

1. Open your github page in browser, and click over lock icon in address bar.
2. In the opened little popup up navigate to 'view certificate' link, it will open a popup window.
3. In which navigate to certificates tab (3rd in my case). Select the top node that is root certificate. And press copy certificate button in the bottom and save the file.
4. In file explorer navigate Git\bin directory and open curl-ca-bundle.crt in text editor.
5. Open the exported certificate file (in step 3) in text editor as well.
6. Copy all of the content from exported certificate to the end of curl-ca-bundle.crt, and save.

Finally check the status. Please note that backup curl-ca-bundle.crt file before editing to remain on safe side.

An answer to Using makecert for Development SSL fixed this for me.

I do not know why, but the certificate created by the simple 'Create Self Signed Certificate' link in IIS Manager does not do the trick. I followed the approach in the linked question of creating and installing a self-signed CA Root; then using that to issue a Server Authentication Certificate for my server. I installed both of them in IIS.

That gets my situation the same as the blog post referenced in the original question. Once the root certificate was copy/pasted into curl-ca-bundle.crt the git/curl combo were satisfied.

To avoid disabling ssl verification entirely or duplicating / hacking the bundled CA certificate file used by git, you can export the host's certificate chain into a file, and make git use it:

git config --global http.https://the.host.com/.sslCAInfo c:/users/me/the.host.com.cer

If that does not work, you can disable ssl verification only for the host:

git config --global http.https://the.host.com/.sslVerify false

Note : Subjected to possible man in the middle attacks when ssl verification is turned off.

I've just had the same issue but using sourcetree on windows Same steps for normal GIT on Windows as well. Following the following steps I was able to solve this issue.

1. Obtain the server certificate tree This can be done using chrome. Navigate to be server address. Click on the padlock icon and view the certificates. Export all of the certificate chain as base64 encoded files (PEM) format.
2. Add the certificates to the trust chain of your GIT trust config file Run "git config --list". find the "http.sslcainfo" configuration this shows where the certificate trust file is located. Copy all the certificates into the trust chain file including the "- -BEGIN- -" and the "- -END- -".
3. Make sure you add the entire certificate Chain to the certificates file

This should solve your issue with the self-signed certificates and using GIT.

I tried using the "http.sslcapath" configuration but this did not work. Also if i did not include the whole chain in the certificates file then this would also fail. If anyone has pointers on these please let me know as the above has to be repeated for a new install.

If this is the system GIT then you can use the options in TOOLS -> options GIt tab to use the system GIT and this then solves the issue in sourcetree as well.

In case of github Repositories (or any none-self-signed certs), choosing below while installing Git-on-windows, resolved the issue.

I have had this issue before, and solve it using the following config.

[http "https://your.domain"] sslCAInfo=/path/to/your/domain/priviate-certificate

Since git 2.3.1, you can put https://your.domain after http to indicate the following certificate is only for it.

To completely detail out the summary of all the above answers.

Reason

This problem is occuring because git cannot complete the https handshake with the git server were the repository you are trying to access is present.

Solution

Steps to get the certificate from the github server

1. Open the github you are trying to access in the browser
2. Press on the lock icon in the address bar > click on 'certificate'
3. Go to 'Certification Path' tab > select the top most node in the hierarchy of certificates > click on 'view certificate'
4. Now click on 'Details' and click on 'Copy to File..' > Click 'Next' > Select 'Base 64 encoded X509 (.CER)' > save it to any of your desired path.

Steps to add the certificate to local git certificate store

1. Now open the certificate you saved in the notepad and copy the content along with --Begin Certificate-- and --end certificate--

2. To find the path were all the certificates are stored for your git, execute the following command in cmd.

   git config --list

3. Check for the key 'http.sslcainfo', the corresponding value will be path.

Note: If u can't find the key http.sslcainfo check for Git's default path: C:\Program Files\Git\mingw64\ssl\certs

4. Now open 'ca-bundle.crt' present in that path.

Note 1 : open this file administrator mode otherwise you will not be able to save it after update. (Tip - you can use Notepad++ for this purpose)

Note 2 : Before modifying this file please keep a backup elsewhere.

5. Now copy the contents of file mentioned in step 1 to the file in step 4 at end file, like how other certificates are placed in ca-bundle.crt.
6. Now open a new terminal and now you should be able to perform operations related to the git server using https.

Jan 2021 - Got around this in VS2019 by setting Menu > Git > Settings > Git Global Settings > Cryptographic Network Provider > [Secure Channel] instead of [OpenSSL]

Git SSL certificate problem unable to get local issuer certificate (fix)

PS: Didn't need to set --global or --local http.sslVerify false. I was cloning an Azure DevOps repo which wasn't using any self signed certs.. This seems like an issue with either VS2019 or Git for Windows.. They need to fix it !!

In my case, as I have installed the ConEmu Terminal for Window 7, it creates the ca-bundle during installation at C:\Program Files\Git\mingw64\ssl\certs.

Thus, I have to run the following commands on terminal to make it work:

$ git config --global http.sslbackend schannel
$ git config --global http.sslcainfo /mingw64/ssl/certs/ca-bundle.crt

Hence, my C:\Program Files\Git\etc\gitconfig contains the following:

[http]
    sslBackend = schannel
    sslCAinfo = /mingw64/ssl/certs/ca-bundle.crt

Also, I chose same option as mentioned here when installing the Git.

Hope that helps!

One thing that messed me up was the format of the path (on my Windows PC). I originally had this:

git config --global http.sslCAInfo C:\certs\cacert.pem

But that failed with the "unable to get local issuer certificate" error.

What finally worked was this:

git config --global http.sslCAInfo "C:\\certs\\cacert.pem"

Disable your ssl verifaction (which is enabled by default).

Via '.gitconfig' file

Check your .gitconfig file. Usually is found on directory ~/.gitcongh.

Add or override next line:

[http]
   sslverify = false

Via 'git config' command

Execute following command.

git config --global http.sslverify false

If you dont want to enable config property gloablly, step on your repository path and then execute.

git config http.sslverify false

1. Download certificate from this link: https://github.com/bagder/ca-bundle
2. Add it to C:\Program Files\Git\bin and C:\Program Files\Git\mingw64\bin

Then try something like: git clone https://github.com/heroku/node-js-getting-started.git

git config --global http.sslbackend secure-transport

(had to do that after update to Big Sюr)

To fix the especific error SSL certificate problem: unable to get local issuer certificate in git

I had the same issue with Let's Encrypt certificates .

An web site with https we just to need :

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

but git pull says :

fatal: unable to access 'https://example.com/git/demo.git/': SSL certificate problem: unable to get local issuer certificate

To fix it, we need also add:

SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

In my case, I had to use different certificates for different git repositories.

Follow steps below (If you have a certificate of your repository, you can read from step 5)

1. Go to remote repository's site. Ex: github.com, bitbucket.org, tfs.example...

2. Click Lock icon on the upper left side and click Certificate.

3. Go to Certification Path tab and double click to .. Root Certificate

4. Go to Details tab and click Copy to file.

5. Export/Copy certificate to wherever you want. Ex: C:\certs\example.cer

6. Open git bash at your local repository folder and type:

   $ git config http.sslCAInfo "C:\certs\example.cer"

Now you can use different certificates for each repository.

Remember, calling with the --global parameter will also change the certificates of git repositories in other folders, so you should not use the --global parameter when executing this command.

Error

push failed
fatal: unable to access
SSL certificate problem: unable to get local issuer certificate

Reason

After committing files on a local machine, the "push fail" error can occur when the local Git connection parameters are outdated (e.g. HTTP change to HTTPS).

Solution

1. Open the .git folder in the root of the local directory
2. Open the config file in a code editor or text editor (VS Code, Notepad, Textpad)
3. Replace HTTP links inside the file with the latest HTTPS or SSH link available from the web page of the appropriate Git repo (clone button)
   Examples:

   url = http://git.[host]/[group/project/repo_name]     (actual path)
   

   replace it with either

   url = ssh://git@git.[host]:/[group/project/repo_name] (new path SSH)
   url = https://git.[host]/[group/project/repo_name]    (new path HTTPS)
   

I have tried all approach mentioned here but no luck with any. Finally i found a different approach what i did is

• Generated ssh public /private key on my system for git repo

• copy ssh key to your git account and use ssh instead of https in git clone .check below step to generate ssh key

Open Git Bash.

Paste the text below, substituting in your GitHub email address.

$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

This creates a new ssh key, using the provided email as a label.

Generating public/private rsa key pair. When you're prompted to "Enter a file in which to save the key," press Enter. This accepts the default file location.

Enter a file in which to save the key (/c/Users/you/.ssh/id_rsa):[Press enter]

I've had the same problem from Azure DevOps (Visual Studio). Finally I've decided to clone my repo using SSH protocol because of i've prefered it instead of disabling SSL verification.

You only need to generate a SSH Key, you can do it so... SSH documentation

ssh-keygen

And then, import your public key on yout git host (like Azure Devops, Github, Bitbucket, Gitlab, etc.)

I had this error occur when using visual studio. This occurs when you have the Cryptographic Network provider settings set to OpenSSL in the Visual Studio Options window. When I changed the setting to Secure Channel it solved it for me. This setting must have been set for me when I upgraded my VS.

This might help some who come across this error. If you are working across a VPN and it becomes disconnected, you can also get this error. The simple fix is to reconnect your VPN.

Use this command before to run composer update/install:

git config --global http.sslverify false