Unable to resolve unable to get local issuer certificate using git on Windows with self-signed certificate

Question

I am using Git on Windows  I installed the msysGit package  My test repository has a self signed certificate at the server  I can access and use the repository using HTTP without problems  Moving to HTTPS gives the error      SSL Certificate problem  unable to get local issuer certificate      I have the self signed certificate installed in the Trusted Root Certification Authorities of my Windows 7 - client machine  I can browse to the HTTPS repository URL in Internet Explorer with no error messages   This blog post by Philip Kelley explained that cURL does not use the client machine s certificate store  I followed the blog post s advice to create a private copy of curl-ca-bundle crt and configure Git to use it  I am sure Git is using my copy  If I rename the copy  Git complains the file is missing   I pasted in my certificate  as mentioned in the blog post  I still get the message  unable to get local issuer certificate    I verified that Git was still working by cloning a GitHub Repository via HTTPS   The only thing I see that s different to the blog post is that my certificate is the root - there is no chain to reach it  My certificate originally came from clicking the IIS8 IIS Manager link  Create Self Signed Certificate   Maybe that makes a certificate different in some way to what cURL expects   How can I get Git cURL to accept the self signed certificate

User · Answer

I faced this issue as well  And finally got resolved by getting guidance from this MSDN Blog   Update  Actually you need to add the certificate in git s certificates file curl-ca-bundel cert that resides in Git bin directory   Steps   Open your github page in browser  and click over lock icon in address bar  In the opened little popup up navigate to  view certificate  link  it will open a popup window  In which navigate to certificates tab  3rd in my case   Select the top node that is root certificate  And press copy certificate button in the bottom and save the file  In file explorer navigate Git bin directory and open curl-ca-bundle crt in text editor  Open the exported certificate file  in step 3  in text editor as well  Copy all of the content from exported certificate to the end of curl-ca-bundle crt  and save    Finally check the status  Please note that backup curl-ca-bundle crt file before editing to remain on safe side

User · Answer

In my case  as I have installed the ConEmu Terminal for Window 7  it creates the ca-bundle during installation at C  Program Files Git mingw64 ssl certs   Thus  I have to run the following commands on terminal to make it work     git config --global http sslbackend schannel   git config --global http sslcainfo  mingw64 ssl certs ca-bundle crt   Hence  my C  Program Files Git etc gitconfig contains the following    http      sslBackend   schannel     sslCAinfo    mingw64 ssl certs ca-bundle crt   Also  I chose same option as mentioned here when installing the Git   Hope that helps

User · Answer

Use this command before to run composer update install   git config --global http sslverify false

User · Answer

I ve had the same problem from Azure DevOps  Visual Studio   Finally I ve decided to clone my repo using SSH protocol because of i ve prefered it instead of disabling SSL verification  You only need to generate a SSH Key  you can do it so    SSH documentation ssh-keygen  And then  import your public key on yout git host  like Azure Devops  Github  Bitbucket  Gitlab  etc

User · Answer

To avoid disabling ssl verification entirely or duplicating   hacking the bundled CA certificate file used by git  you can export the host s certificate chain into a file  and make git use it   git config --global http https   the host com  sslCAInfo c  users me the host com cer   If that does not work  you can disable ssl verification only for the host   git config --global http https   the host com  sslVerify false   Note   Subjected to possible man in the middle attacks when ssl verification is turned off

User · Answer

Open Git Bash and run the command if you want to completely disable SSL verification   git config --global http sslVerify false   Note  This solution may open you to attacks like man-in-the-middle attacks  Therefore turn on verification again as soon as possible   git config --global http sslVerify true

User · Answer

Error  push failed fatal  unable to access SSL certificate problem  unable to get local issuer certificate  Reason After committing files on a local machine  the  quot push fail quot  error can occur when the local Git connection parameters are outdated  e g  HTTP change to HTTPS   Solution  Open the  git folder in the root of the local directory Open the config file in a code editor or text editor  VS Code  Notepad  Textpad  Replace HTTP links inside the file with the latest HTTPS or SSH link available from the web page of the appropriate Git repo  clone button  Examples  url   http   git  host   group project repo name       actual path   replace it with either url   ssh   git git  host    group project repo name   new path SSH  url   https   git  host   group project repo name      new path HTTPS

User · Answer

To fix the especific error SSL certificate problem  unable to get local issuer certificate in git   I had the same issue with Let s Encrypt certificates    An web site with https we just to need    SSLEngine On SSLCertificateFile  etc letsencrypt live example com cert pem SSLCertificateKeyFile  etc letsencrypt live example com privkey pem Include  etc letsencrypt options-ssl-apache conf   but git pull says     fatal  unable to access  https   example com git demo git    SSL certificate problem  unable to get local issuer certificate   To fix it  we need also add    SSLCertificateChainFile  etc letsencrypt live example com chain pem

User · Answer

I had this issue as well   In my case  I was trying to get a post-receive Git hook to update a working copy on a server with each push   Tried to follow the instructions in the blog you linked to   Didn t work for me as well and overriding the settings on a per-user basis didn t seem to work either   What I ended up having to do was disable SSL verification  as the article mentions  for Git as a whole   Not the perfect solution  but it ll work until I can figure out a better one   I edited the Git config text file  with my favorite line-ending neutral app like Notepad    located at      C  Program Files  x86  Git etc gitconfig   In the  http  block  I added an option to disable sslVerify   It looked like this when I was done    http      sslVerify   false     sslCAinfo    bin curl-ca-bundle crt   That did the trick    NOTE     This disables SSL verification and is not recommended as a long term solution  You can disable this per-repository which still isn t great  but localizes the setting  With the advent of LetsEncrypt org  it is now fairly simple  automated and free to set up SSL as an alternative to self-signed certs and negates the need to turn off sslVerify

User · Answer

Download certificate from this link  https   github com bagder ca-bundle Add it to C  Program Files Git bin and C  Program Files Git mingw64 bin   Then try something like  git clone https   github com heroku node-js-getting-started git

User · Answer

I have had this issue before  and solve it using the following config     http  https   your domain      sslCAInfo  path to your domain priviate-certificate   Since git 2 3 1  you can put https   your domain after http to indicate the following certificate is only for it

User · Answer

The problem is that git by default using the  Linux  crypto backend   Beginning with Git for Windows 2 14  you can now configure Git to use SChannel  the built-in Windows networking layer as the crypto backend  This means that you it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism  https   msdn microsoft com en-us library windows desktop aa380123 v vs 85  aspx  Just execute   git config --global http sslbackend schannel   That should helps   Using schannel is by now the standard setting when installing git for windows  also it is recommended to not checkout repositories by SSH anmore if possible  as https is easier to configure and less likely to be blocked by a firewall it means less chance of failure

User · Answer

I have tried all approach mentioned here but no luck with any  Finally i found a different approach what i did is  Generated ssh public  private key on my system for git repo  copy ssh key to your git account and use ssh instead of https in git clone  check below step to generate ssh key   Open Git Bash  Paste the text below  substituting in your GitHub email address    ssh-keygen -t rsa -b 4096 -C  quot your email example com quot   This creates a new ssh key  using the provided email as a label  Generating public private rsa key pair  When you re prompted to  quot Enter a file in which to save the key  quot  press Enter  This accepts the default file location  Enter a file in which to save the key   c Users you  ssh id rsa   Press enter

User · Answer

One thing that messed me up was the format of the path  on my Windows PC    I originally had this   git config --global http sslCAInfo C  certs cacert pem   But that failed with the  unable to get local issuer certificate  error   What finally worked was this   git config --global http sslCAInfo  C   certs  cacert pem

User · Answer

This might help some who come across this error   If you are working across a VPN and it becomes disconnected  you can also get this error   The simple fix is to reconnect your VPN

User · Answer

Jan 2021 - Got around this in VS2019 by setting Menu  gt  Git  gt  Settings  gt  Git Global Settings  gt  Cryptographic Network Provider  gt   Secure Channel  instead of  OpenSSL  Git SSL certificate problem unable to get local issuer certificate  fix  PS  Didn t need to set --global or --local http sslVerify false  I was cloning an Azure DevOps repo which wasn t using any self signed certs   This seems like an issue with either VS2019 or Git for Windows   They need to fix it

User · Answer

To completely detail out the summary of all the above answers  Reason This problem is occuring because git cannot complete the https handshake with the git server were the repository you are trying to access is present  Solution Steps to get the certificate from the github server  Open the github you are trying to access in the browser Press on the lock icon in the address bar  gt  click on  certicicate  Go to  Certification Path  tab  gt  select the top most node in the heirarchy of certifcates  gt  click on  view certificate  Now click on  Details  and click on  Copy to File     gt  Click  Next   gt  Select  Base 64 encoded X509   CER    gt  save it to any of your desired path   Steps to add the certificate to local git certificate store  Now open the certicate you saved in the notepad and copy the content along with --Begin Certificate-- and --end certificate--  To find the path were all the certificates are stored for your git  execute the following command in cmd  git config --list  Check for the key  http sslcainfo   the correspondig value will be path   Now open  ca-bundle crt  present in that path     Note 1   open this file administrator mode otherwise you will not be able to save it after update   Tip - you can use Notepad   for this purpose  Note 2   Before modifying this file please keep a backup elsewhere    Now copy the contents of file mentioned in step 1 to the file in step 4 at end file  like how other certificates are placed in ca-bundle crt  Now open a new terminal and now you should be able to perform opertions related to the git server using https

User · Answer

In my case  I had to use different certificates for different git repositories  Follow steps below  If you have a certificate of your repository  you can read from step 5   Go to remote repository s site  Ex  github com  bitbucket org  tfs example     Click Lock icon on the upper left side and click Certificate   Go to Certification Path tab and double click to    Root Certificate  Go to Details tab and click Copy to file   Export Copy certificate to wherever you want  Ex  C  certs example cer  Open git bash at your local repository folder and type    git config http sslCAInfo  quot C  certs example cer quot    Now you can use different certificates for each repository  Remember  calling with the --global parameter will also change the certificates of git repositories in other folders  so you should not use the --global parameter when executing this command

User · Answer

The answer to this question Using makecert for Development SSL fixed this for me   I do not know why  but the certificate created by the simple  Create Self Signed Certificate  link in IIS Manager does not do the trick   I followed the approach in the linked question of creating and installing a self-signed CA Root  then using that to issue a Server Authentication Certificate for my server   I installed both of them in IIS   That gets my situation the same as the blog post referenced in the original question   Once the root certificate was copy pasted into curl-ca-bundle crt the git curl combo were satisfied

User · Answer

In case of github Repositories  or any none-self-signed certs   choosing below while installing Git-on-windows  resolved the issue

User · Answer

kiddailey I think was pretty close  however I would not disable ssl verification but rather rather just supply the local certificate   In the Git config file   http      sslCAinfo    bin curl-ca-bundle crt   Or via command line   git config --global http sslCAinfo  bin curl-ca-bundle crt

User · Answer

I ve just had the same issue but using sourcetree on windows Same steps for normal GIT on Windows as well  Following the following steps I was able to solve this issue    Obtain the server certificate tree This can be done using chrome  Navigate to be server address  Click on the padlock icon and view the certificates  Export all of the certificate chain as base64 encoded files  PEM  format  Add the certificates to the trust chain of your GIT trust config file Run  git config --list   find the  http sslcainfo  configuration this shows where the certificate trust file is located  Copy all the certificates into the trust chain file including the  - -BEGIN- -  and the  - -END- -   Make sure you add the entire certificate Chain to the certificates file   This should solve your issue with the self-signed certificates and using GIT   I tried using the  http sslcapath  configuration but this did not work  Also if i did not include the whole chain in the certificates file then this would also fail  If anyone has pointers on these please let me know as the above has to be repeated for a new install   If this is the system GIT then you can use the options in TOOLS -  options GIt tab to use the system GIT and this then solves the issue in sourcetree as well

[windows] Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate

Examples related to windows

Examples related to git

Examples related to curl

Examples related to ssl-certificate

Examples related to msysgit