This error occurs when Git cannot establish an HTTPS connection because the SSL/TLS certificate presented by the remote server has expired. This commonly happens when root CA certificates expire, system CA certificates are outdated, or when the system clock is incorrect.
The "SSL certificate problem: certificate has expired" error appears when Git attempts to connect to a remote repository over HTTPS and encounters a certificate that has passed its validity period. SSL/TLS certificates have expiration dates as a security measure, and Git refuses to proceed when it detects an expired certificate. This error is particularly common in these scenarios: - **Outdated CA root certificates** - When root Certificate Authority certificates expire (like the Let's Encrypt DST Root CA X3 expiration in September 2021) - **Old Git installations** - Older versions of Git ship with bundled CA certificates that may have expired - **Incorrect system clock** - If your system's date/time is wrong, valid certificates may appear expired - **Corporate proxy interception** - Proxies that re-sign HTTPS traffic may use certificates that have expired - **Self-signed certificates** - Development or internal servers with expired self-signed certificates Git uses the OpenSSL library (or Windows certificate store on Windows) to validate certificates. When the certificate chain cannot be verified against trusted CAs, or when any certificate in the chain has expired, Git blocks the connection to protect against potential man-in-the-middle attacks.
Before investigating certificates, verify your system's date and time are correct. An incorrect clock can make valid certificates appear expired:
# Check current system date
date
# If incorrect on Linux, sync with NTP
sudo timedatectl set-ntp true
sudo timedatectl set-timezone YOUR_TIMEZONE
# On macOS, enable automatic date/time in System Preferences > Date & Time
# On Windows, run in Administrator command prompt
w32tm /resyncIf your clock was significantly off, try the git command again after correcting it.
The most reliable fix is to update your operating system's CA certificate bundle. This ensures you have the latest root certificates:
Ubuntu/Debian:
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificatesRHEL/CentOS/Fedora:
sudo yum update ca-certificates
# or on newer systems
sudo dnf update ca-certificatesmacOS:
# Update via Homebrew if installed
brew update && brew upgrade openssl
# Or update macOS to get latest certificates
softwareupdate --listWindows:
- Run Windows Update to get the latest root certificates
- Or manually update via certutil: certutil -generateSSTFromWU roots.sst
Newer versions of Git include updated CA certificate bundles. Updating Git often resolves certificate issues:
Ubuntu/Debian:
# Add official Git PPA for latest version
sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt install git
# Verify version
git --versionmacOS:
# Via Homebrew
brew update && brew upgrade gitWindows:
Download the latest version from https://git-scm.com/download/win and reinstall. The installer will update the bundled CA certificates.
RHEL/CentOS:
sudo yum install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm
sudo yum install gitOn Windows, Git can use either its bundled OpenSSL certificates or the Windows Certificate Store. If the Windows store has updated certificates, configure Git to use it:
# Use Windows Certificate Store instead of OpenSSL bundle
git config --global http.sslBackend schannel
# Verify the setting
git config --global http.sslBackendThis is particularly useful in corporate environments where IT has deployed certificates to the Windows store. To revert to OpenSSL:
git config --global http.sslBackend opensslOn macOS, duplicate certificates with different expiration dates can cause issues. Check for and remove expired duplicates:
# Open Keychain Access
open /Applications/Utilities/Keychain\ Access.app1. Search for certificates that might have expired (e.g., "DST Root CA X3", "DigiCert")
2. If you find two certificates with the same name but different expiration dates
3. Delete the expired one (check the "Expires" field)
4. Keep the certificate with the future expiration date
Alternatively, from the command line:
# List certificates
security find-certificate -a -p /Library/Keychains/System.keychain | \
openssl x509 -noout -subject -dates 2>/dev/nullIf certificate issues persist, switching to SSH authentication bypasses HTTPS entirely:
# Generate SSH key if you don't have one
ssh-keygen -t ed25519 -C "[email protected]"
# Add key to ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
# Copy public key to clipboard
cat ~/.ssh/id_ed25519.pub
# Add this key to your GitHub/GitLab/Bitbucket account settingsThen clone or change remote URL to use SSH:
# Clone via SSH
git clone [email protected]:username/repo.git
# Or change existing remote from HTTPS to SSH
git remote set-url origin [email protected]:username/repo.git
# Verify remote URL
git remote -vAs a last resort for urgent situations, you can disable SSL verification. This is dangerous and should only be used temporarily:
# Disable SSL verification for a single command
git -c http.sslVerify=false clone https://github.com/username/repo.git
# Or disable globally (NOT RECOMMENDED)
git config --global http.sslVerify falseSecurity Warning: Disabling SSL verification makes you vulnerable to man-in-the-middle attacks. Anyone on your network could intercept and modify your code. Only use this if:
- You understand the security risks
- You're on a trusted private network
- It's a temporary measure while you fix the real issue
- You re-enable verification immediately after: git config --global http.sslVerify true
Understanding the Let's Encrypt Root Certificate Expiration:
In September 2021, Let's Encrypt's DST Root CA X3 certificate expired. This caused widespread SSL errors because older systems trusted this root certificate. The solution is to ensure your system trusts the newer ISRG Root X1 certificate that Let's Encrypt now uses.
Checking certificate expiration:
# Check when a server's certificate expires
echo | openssl s_client -servername github.com -connect github.com:443 2>/dev/null | \
openssl x509 -noout -dates
# Check your system's CA certificates
awk -v cmd='openssl x509 -noout -subject -dates' '/BEGIN/{close(cmd)};{print | cmd}' \
/etc/ssl/certs/ca-certificates.crt 2>/dev/null | grep -A2 "DST Root"Git's certificate locations:
- Linux: /etc/ssl/certs/ca-certificates.crt or /etc/pki/tls/certs/ca-bundle.crt
- macOS: System Keychain and /etc/ssl/cert.pem
- Windows with OpenSSL: C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt
- Windows with schannel: Windows Certificate Store
Custom CA certificate for Git:
If you need to use a specific CA certificate:
# Point Git to a specific CA bundle
git config --global http.sslCAInfo /path/to/custom-ca-bundle.crt
# Or for a specific repository
git config http.sslCAInfo /path/to/company-ca.crtCorporate proxy debugging:
# Check which certificate is being presented
openssl s_client -connect github.com:443 -proxy proxy.company.com:8080 2>/dev/null | \
openssl x509 -noout -issuer -dates
# If the issuer is your company name, the proxy is intercepting HTTPS
# Contact IT for the corporate CA certificateFor CI/CD systems:
If this error occurs in CI/CD pipelines, ensure the build environment has updated CA certificates. For Docker-based CI:
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificateskex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git