The 'fatal: unable to access: error setting certificate verify locations' error occurs when Git cannot find or access SSL/TLS certificate authority (CA) files during HTTPS operations. This commonly affects CI/CD pipelines, Docker containers, and minimal Linux distributions where certificate bundles are missing or incorrectly configured.
The "fatal: unable to access" error with "error setting certificate verify locations" indicates that Git's underlying SSL/TLS library (typically OpenSSL or LibreSSL) cannot locate the certificate authority (CA) bundle needed to verify HTTPS connections. Without these certificates, Git cannot establish secure connections to remote repositories. This error is particularly common in CI/CD environments because: - CI runners often use minimal Docker images that lack pre-installed CA certificates - Custom build environments may not include standard certificate paths - Self-signed or enterprise certificates require additional configuration - Some container images override default certificate locations The SSL certificate verification system relies on a bundle of trusted root CA certificates stored on the system. When Git (via libcurl and OpenSSL) cannot find this bundle at expected paths like `/etc/ssl/certs/ca-certificates.crt` or `/etc/pki/tls/certs/ca-bundle.crt`, it fails with this error rather than proceeding with an insecure connection.
The most common fix is to install the CA certificates package in your Docker image or CI environment:
For Debian/Ubuntu-based images:
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y ca-certificates git && rm -rf /var/lib/apt/lists/*For Alpine Linux:
FROM alpine:3.18
RUN apk add --no-cache ca-certificates gitFor RHEL/CentOS/Fedora:
FROM fedora:38
RUN dnf install -y ca-certificates gitIn GitLab CI (before_script):
before_script:
- apt-get update && apt-get install -y ca-certificates
# Or for Alpine runners:
- apk add --no-cache ca-certificatesIf certificates are installed but Git cannot find them, set the path explicitly:
# Find where certificates are installed
find /etc -name "*.crt" -o -name "*.pem" 2>/dev/null | head -20
# Common locations:
# - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu)
# - /etc/pki/tls/certs/ca-bundle.crt (RHEL/CentOS)
# - /etc/ssl/cert.pem (Alpine/macOS)
# - /etc/ssl/certs/ca-bundle.crt (OpenSUSE)Set Git to use the correct path:
# Using environment variable (recommended)
export GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
# Or configure Git directly
git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crt
# For custom CA path directory
export GIT_SSL_CAPATH=/etc/ssl/certs/
git config --global http.sslCAPath /etc/ssl/certs/In GitLab CI:
variables:
GIT_SSL_CAINFO: /etc/ssl/certs/ca-certificates.crt
# Or per-job
job_name:
variables:
GIT_SSL_CAINFO: /etc/ssl/certs/ca-certificates.crtIn GitHub Actions:
env:
GIT_SSL_CAINFO: /etc/ssl/certs/ca-certificates.crtAlpine and other minimal images require additional steps to set up certificates properly:
Alpine Linux:
FROM alpine:3.18
# Install certificates and update the certificate store
RUN apk add --no-cache ca-certificates \
&& update-ca-certificates
# Set environment variable for OpenSSL
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certsFor multi-stage builds, copy certificates:
FROM golang:alpine AS builder
RUN apk add --no-cache git ca-certificates
# ... build steps ...
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# ... rest of minimal image ...Distroless images:
FROM gcr.io/distroless/static-debian11
# Distroless includes CA certificates by default
# But if you need custom certs, use a multi-stage buildIf your organization uses internal CA or self-signed certificates:
Add certificate to system trust store:
# Debian/Ubuntu
sudo cp my-enterprise-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# RHEL/CentOS
sudo cp my-enterprise-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# Alpine
sudo cp my-enterprise-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesIn Dockerfile:
FROM ubuntu:22.04
COPY my-enterprise-ca.crt /usr/local/share/ca-certificates/
RUN apt-get update \
&& apt-get install -y ca-certificates \
&& update-ca-certificates \
&& rm -rf /var/lib/apt/lists/*In GitLab CI:
before_script:
- echo "$CUSTOM_CA_CERT" > /usr/local/share/ca-certificates/custom-ca.crt
- update-ca-certificatesPoint Git to specific certificate:
git config --global http."https://gitlab.mycompany.com/".sslCAInfo /path/to/custom-ca.crtGitLab Runner may need specific configuration for certificate handling:
Using GitLab Runner's built-in certificate handling:
# /etc/gitlab-runner/config.toml
[[runners]]
name = "my-runner"
url = "https://gitlab.example.com/"
tls-ca-file = "/etc/gitlab-runner/certs/ca.crt"
[runners.docker]
volumes = ["/etc/ssl/certs:/etc/ssl/certs:ro"]Mount certificates into Docker executor:
[[runners]]
[runners.docker]
volumes = [
"/etc/ssl/certs:/etc/ssl/certs:ro",
"/etc/pki:/etc/pki:ro"
]GitLab CI configuration for certificate issues:
variables:
# Disable certificate verification (NOT recommended for production)
# GIT_SSL_NO_VERIFY: "true"
# Use custom certificate
GIT_SSL_CAINFO: /etc/gitlab-runner/certs/ca.crt
# Or use FF_NETWORK_PER_BUILD for network isolation
variables:
FF_NETWORK_PER_BUILD: "true"For Kubernetes executor:
# values.yaml for GitLab Runner Helm chart
certsSecretName: gitlab-runner-certsCorporate proxies often intercept HTTPS traffic, requiring their CA certificate:
Identify if proxy is the issue:
# Check if proxy is set
echo $HTTP_PROXY $HTTPS_PROXY
# Test direct connection
curl -v https://github.com 2>&1 | grep -i certificate
# Test with proxy certificate
curl --cacert /path/to/proxy-ca.crt https://github.comConfigure Git for proxy with certificate:
# Set proxy
git config --global http.proxy http://proxy.company.com:8080
# Add proxy's CA certificate
git config --global http.sslCAInfo /path/to/proxy-ca-bundle.crt
# Or add proxy CA to system bundle
cat proxy-ca.crt >> /etc/ssl/certs/ca-certificates.crtIn CI environment:
variables:
HTTP_PROXY: http://proxy.company.com:8080
HTTPS_PROXY: http://proxy.company.com:8080
NO_PROXY: localhost,127.0.0.1,.company.com
GIT_SSL_CAINFO: /etc/ssl/certs/ca-bundle-with-proxy.crtTo diagnose the exact cause of certificate failures:
# Verbose Git output
GIT_CURL_VERBOSE=1 git clone https://github.com/user/repo.git 2>&1
# Check OpenSSL configuration
openssl version -d
# Test SSL connection directly
openssl s_client -connect github.com:443 -CApath /etc/ssl/certs
# Verify certificate chain
openssl s_client -connect github.com:443 -showcerts
# Check which CA bundle is being used
curl -v https://github.com 2>&1 | grep CAfile
# List certificates in bundle
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | \
openssl pkcs7 -print_certs -noout | grep subjectCheck file permissions:
ls -la /etc/ssl/certs/ca-certificates.crt
# Should be readable: -rw-r--r--
# Fix permissions if needed
chmod 644 /etc/ssl/certs/ca-certificates.crtVerify Git SSL configuration:
git config --list | grep -i ssl
# Should show sslCAInfo and/or sslCAPath if configuredWARNING: Disabling SSL verification removes protection against man-in-the-middle attacks. Only use this for debugging or in isolated, trusted environments.
# For a single command
GIT_SSL_NO_VERIFY=1 git clone https://github.com/user/repo.git
# Global configuration (avoid in production)
git config --global http.sslVerify false
# Per-repository
git config http.sslVerify false
# For specific host only
git config --global http."https://trusted-internal-server.com/".sslVerify falseIn CI (temporary debugging only):
variables:
GIT_SSL_NO_VERIFY: "true" # REMOVE after debugging!Better alternative - trust specific certificate:
# Instead of disabling verification, add the specific certificate
git config --global http."https://gitlab.internal/".sslCAInfo /path/to/internal-ca.crtAlways revert this workaround after identifying the root cause and implementing a proper certificate solution.
### Understanding Certificate Verification in Git
Git uses libcurl for HTTPS operations, which relies on OpenSSL (or other SSL libraries) for certificate verification. The verification process:
1. Git connects to the remote server over HTTPS
2. Server presents its SSL certificate
3. OpenSSL checks if a trusted CA signed the certificate
4. OpenSSL searches for CA certificates in configured paths
5. If CA bundle is missing or inaccessible, the "error setting certificate verify locations" occurs
### Default Certificate Paths by Distribution
| Distribution | CA Bundle Path | CA Directory |
|--------------|----------------|--------------|
| Debian/Ubuntu | /etc/ssl/certs/ca-certificates.crt | /etc/ssl/certs/ |
| RHEL/CentOS | /etc/pki/tls/certs/ca-bundle.crt | /etc/pki/tls/certs/ |
| Fedora | /etc/pki/tls/certs/ca-bundle.crt | /etc/pki/tls/certs/ |
| Alpine | /etc/ssl/cert.pem | /etc/ssl/certs/ |
| OpenSUSE | /etc/ssl/ca-bundle.pem | /etc/ssl/certs/ |
| macOS | /etc/ssl/cert.pem | System Keychain |
### Environment Variables Reference
| Variable | Purpose |
|----------|---------|
| GIT_SSL_CAINFO | Path to CA bundle file |
| GIT_SSL_CAPATH | Path to directory with individual CA certs |
| GIT_SSL_NO_VERIFY | Disable verification (dangerous) |
| SSL_CERT_FILE | OpenSSL CA bundle (affects curl too) |
| SSL_CERT_DIR | OpenSSL CA directory |
| CURL_CA_BUNDLE | curl-specific CA bundle |
| REQUESTS_CA_BUNDLE | Python requests library CA bundle |
### GitLab-Specific Considerations
GitLab CI has several certificate-related features:
1. Pre-clone script: Execute commands before Git operations
variables:
GIT_STRATEGY: clone
PRE_CLONE_SCRIPT: |
apt-get update && apt-get install -y ca-certificates2. Custom CA for self-managed GitLab:
variables:
CI_SERVER_TLS_CA_FILE: /path/to/gitlab-ca.crt3. Runner-level configuration: Managed in runner's config.toml
### Docker Best Practices
For reliable certificate handling in Docker:
# Use official images that include certificates
FROM python:3.11-slim # Includes CA certs
# Or explicitly install and configure
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y --no-install-recommends ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& update-ca-certificates
# Set environment variables for various tools
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs
ENV GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt### Troubleshooting Checklist
1. Verify certificates are installed: ls -la /etc/ssl/certs/
2. Check environment variables: env | grep -i ssl
3. Test with curl: curl -v https://github.com
4. Check Git config: git config --list | grep ssl
5. Verify permissions: Ensure cert files are readable
6. Check OpenSSL paths: openssl version -d
7. Test direct SSL: openssl s_client -connect github.com:443
fatal: bad object in rev-list input
Git rev-list encounters bad or invalid object
fatal: Out of memory, malloc failed during pack operation
Out of memory during Git pack operation
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git