This error occurs when Git cannot verify SSL certificates because a corporate proxy intercepts HTTPS traffic and re-signs it with its own Certificate Authority. The proxy's CA certificate is not in Git's trust store, causing SSL verification to fail during clone, push, or pull operations.
The "SSL certificate problem: unable to get local issuer certificate" error in a corporate proxy environment occurs when your company's network security infrastructure intercepts and inspects HTTPS traffic. Corporate proxies perform SSL/TLS inspection (also known as SSL interception or "man-in-the-middle" inspection) to monitor encrypted traffic for security threats. When a corporate proxy intercepts your Git connection to GitHub, GitLab, or another remote repository, it decrypts the traffic, inspects it, and then re-encrypts it using the company's own Certificate Authority (CA). This is why the error mentions "unable to get local issuer certificate" - Git sees a certificate signed by your corporate CA, but that CA is not in Git's default trust store. This is different from a standard SSL certificate error because the root cause is intentional network security policy rather than misconfiguration. The solution requires adding your corporate CA certificate to Git's trust store so it can verify the re-signed certificates. Common signs that a corporate proxy is involved: - The error only occurs on the corporate network or VPN - Git operations work fine from home or personal networks - Other developers on the same network experience the same issue - Your browser shows a different certificate issuer than expected (e.g., "Company Name Root CA" instead of "DigiCert" or "Let's Encrypt")
First, confirm that a corporate proxy is indeed intercepting your HTTPS traffic by checking the certificate issuer:
# Check who issued the certificate for github.com
openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -noout -issuer
# Expected output from home network:
# issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
# Output if corporate proxy is intercepting:
# issuer=C = US, O = Your Company Name, CN = Company Proxy Root CAYou can also check in your browser:
1. Navigate to https://github.com
2. Click the padlock icon in the address bar
3. View certificate details
4. Check the "Issued By" field - if it shows your company name, proxy is intercepting
If the certificate shows your company as the issuer, proceed with the steps below to add the corporate CA to Git's trust store.
On Windows, the easiest solution is to configure Git to use the Windows certificate store, where your IT department likely already installed the corporate CA:
# Configure Git to use Windows Secure Channel
git config --global http.sslBackend schannelThis tells Git to use the Windows native certificate management instead of its bundled OpenSSL certificates. Your corporate CA should already be in the Windows certificate store if IT properly configured your machine.
To verify the corporate CA is in Windows:
1. Press Win+R and type certmgr.msc
2. Navigate to Trusted Root Certification Authorities > Certificates
3. Look for your company's root CA certificate
If the certificate is missing from Windows, ask your IT department to install it or proceed to step 4 to manually add it.
Note: This setting persists across Git updates, unlike modifying the bundled certificate file.
If the Windows certificate store method doesn't work, or you're on Linux/macOS, you need to obtain the corporate CA certificate. There are several ways:
Option 1: Request from IT department (recommended)
Ask your IT/security team for the root CA certificate file. They should provide a .crt or .pem file.
Option 2: Export from browser
1. Visit https://github.com in your browser
2. Click the padlock icon > Certificate/Connection secure
3. View certificate chain
4. Select the ROOT certificate (topmost in chain, usually "Company Name Root CA")
5. Export as Base-64 encoded X.509 (.CER or .PEM)
Option 3: Extract using OpenSSL
# Extract the certificate chain
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | \
sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > chain.pem
# Extract just the root CA (last certificate in chain)
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | \
awk '/-----BEGIN CERTIFICATE-----/{cert=""} {cert=cert $0 "\n"} /-----END CERTIFICATE-----/{last=cert} END{print last}' > corporate-ca.crtOption 4: Check common corporate locations
# Windows - check if IT deployed it here
dir "C:\ProgramData\Company\Certificates\"
# Linux - check system certificate store
ls /usr/local/share/ca-certificates/
ls /etc/pki/ca-trust/source/anchors/Once you have the corporate CA certificate file, configure Git to trust it:
Option 1: Point Git to the certificate file directly
# Linux/macOS
git config --global http.sslCAInfo /path/to/corporate-ca.crt
# Windows (use forward slashes)
git config --global http.sslCAInfo C:/Users/YourName/certs/corporate-ca.crtOption 2: Append to Git's certificate bundle (Windows)
# Find Git's certificate bundle
# Usually at: C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
# Append corporate CA to the bundle (run as Administrator)
type corporate-ca.crt >> "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"Option 3: Create a combined certificate bundle
# Copy existing bundle and append corporate CA
cp /etc/ssl/certs/ca-certificates.crt ~/my-ca-bundle.crt
cat corporate-ca.crt >> ~/my-ca-bundle.crt
# Configure Git to use the combined bundle
git config --global http.sslCAInfo ~/my-ca-bundle.crtVerify the configuration:
git config --global --get http.sslCAInfoFor a system-wide solution on Linux or macOS, add the corporate CA to the operating system's trust store:
Ubuntu/Debian:
# Copy certificate to system store
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
# Update the certificate store
sudo update-ca-certificates
# Verify it was added
ls /etc/ssl/certs/ | grep -i corporateRHEL/CentOS/Fedora:
# Copy to the anchors directory
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
# Update the trust store
sudo update-ca-trust
# Verify
trust list | grep -i "company name"macOS:
# Add to system keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain corporate-ca.crt
# Or add to user keychain (no sudo required)
security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain corporate-ca.crtAfter installing system-wide, Git should automatically trust certificates signed by the corporate CA.
If your corporate proxy requires explicit configuration, set up Git to use it:
# Configure HTTP proxy
git config --global http.proxy http://proxy.company.com:8080
# If authentication is required
git config --global http.proxy http://username:[email protected]:8080
# Configure HTTPS proxy (often same as HTTP)
git config --global https.proxy http://proxy.company.com:8080For proxies that require NTLM authentication (common in Windows environments):
# Use cntlm proxy as an intermediary
# Install cntlm, configure with your domain credentials
# Then point Git to the local cntlm instance
git config --global http.proxy http://localhost:3128Environment variables (alternative method):
# Set in your shell profile (.bashrc, .zshrc, etc.)
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.comBypass proxy for internal Git servers:
# Don't use proxy for internal Git server
git config --global http.https://git.internal.company.com.proxy ""When running Git in Docker containers or CI/CD pipelines behind a corporate proxy, you need to inject the corporate CA:
Dockerfile:
FROM ubuntu:22.04
# Copy corporate CA certificate
COPY corporate-ca.crt /usr/local/share/ca-certificates/
# Update certificate store
RUN apt-get update && apt-get install -y ca-certificates git && \
update-ca-certificates
# Configure Git to use system certificates
RUN git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crtAlpine-based images:
FROM alpine:3.18
COPY corporate-ca.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache ca-certificates git && \
update-ca-certificatesGitHub Actions (self-hosted runners):
- name: Install corporate CA
run: |
echo "${{ secrets.CORPORATE_CA_CERT }}" | sudo tee /usr/local/share/ca-certificates/corporate-ca.crt
sudo update-ca-certificatesGitLab CI:
before_script:
- cp $CORPORATE_CA_CERT /usr/local/share/ca-certificates/
- update-ca-certificatesJenkins:
pipeline {
agent any
environment {
GIT_SSL_CAINFO = '/path/to/corporate-ca-bundle.crt'
}
stages {
stage('Checkout') {
steps {
git url: 'https://github.com/org/repo.git'
}
}
}
}Warning: Only use this temporarily to confirm the issue is SSL-related. Never use in production or with sensitive repositories.
# Disable SSL verification for a single command
GIT_SSL_NO_VERIFY=true git clone https://github.com/org/repo.git
# Disable for current repository only
git config http.sslVerify false
# Disable globally (NOT RECOMMENDED)
git config --global http.sslVerify false
# Disable for specific domain only
git config --global http.https://github.com.sslVerify falseRe-enable immediately after testing:
git config --global http.sslVerify true
git config --unset http.sslVerifySecurity warning: Disabling SSL verification makes your connection vulnerable to man-in-the-middle attacks. An attacker could intercept your credentials and inject malicious code. Only use this to confirm the root cause, then implement proper certificate trust.
How corporate SSL inspection works:
Corporate proxies that perform SSL inspection essentially perform an authorized man-in-the-middle attack:
1. Your Git client connects to github.com:443
2. The proxy intercepts the connection
3. Proxy connects to github.com on your behalf, verifying GitHub's real certificate
4. Proxy creates a new certificate for github.com, signed by the corporate CA
5. Proxy presents this certificate to your Git client
6. Git sees an unknown CA and fails verification
The corporate CA must be installed on all client machines for this to work transparently.
Troubleshooting certificate chain issues:
# View the full certificate chain
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | \
grep -E "(s:|i:|depth)"
# Verify a certificate against a CA bundle
openssl verify -CAfile /path/to/ca-bundle.crt certificate.pem
# Check which CA Git is using
GIT_CURL_VERBOSE=1 git ls-remote https://github.com/org/repo.git 2>&1 | grep -i "CAfile\|CApath"Per-repository SSL configuration:
You can set SSL options per-remote URL for fine-grained control:
# Trust specific CA only for GitHub
git config --global http."https://github.com".sslCAInfo /path/to/github-proxy-ca.crt
# Different CA for internal GitLab
git config --global http."https://gitlab.company.com".sslCAInfo /path/to/internal-ca.crt
# View all URL-specific configs
git config --global --get-regexp 'http\..*\.sslCAInfo'Using Git credential manager behind proxy:
If credential manager also fails:
# Windows - ensure credential manager uses schannel too
git config --global credential.https://github.com.provider wincred
# Or use Git Credential Manager Core
git config --global credential.helper manager-coreVerifying the fix:
# Test with verbose output
GIT_CURL_VERBOSE=1 git ls-remote https://github.com/org/repo.git
# Should show "SSL certificate verify ok" in outputCommon corporate proxy products:
- Zscaler
- Blue Coat/Symantec Proxy
- Palo Alto Networks
- Forcepoint
- McAfee Web Gateway
- Cisco Umbrella
Each may have slightly different certificate distribution methods - check with your IT security team for the correct root CA certificate.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git