This error occurs when Git cannot verify the SSL/TLS certificate of a remote repository because the Certificate Authority (CA) that signed the certificate is not in your system's trust store. It commonly happens in corporate environments with proxy servers, on systems with outdated CA certificates, or when using self-signed certificates.
The "SSL certificate problem: unable to get local issuer certificate" error occurs when Git's SSL/TLS layer cannot complete the certificate verification chain. Every SSL certificate is signed by a Certificate Authority (CA), and your system maintains a list of trusted CAs. When Git connects to a remote server over HTTPS, it checks if the server's certificate was signed by a CA in this trust store. This error indicates that the CA certificate is missing from your system's trust store. This commonly happens in several scenarios: - **Corporate proxy environments** where security appliances intercept HTTPS traffic and re-sign certificates with a corporate CA - **Outdated system CA certificates** that don't include newer Certificate Authorities - **Self-signed certificates** used by private Git servers that aren't trusted by default - **Windows Git installations** that default to using a bundled certificate store instead of the Windows certificate store - **Network configurations** where intermediate certificates are not properly served by the remote server The underlying issue is that Git uses OpenSSL or the native TLS library to verify certificates, and the issuing CA's certificate must be present in the configured certificate store for verification to succeed.
On Windows, Git often uses its own bundled certificate store instead of the Windows system certificates. This is the most common cause of SSL errors on Windows systems, especially in corporate environments.
# Configure Git to use Windows Secure Channel (SChannel)
git config --global http.sslBackend schannelThis tells Git to use the Windows certificate store, which includes certificates installed by your IT department or added via Windows Update.
If you need to revert to the bundled OpenSSL certificates:
git config --global http.sslBackend opensslFor Visual Studio users, you can also configure this in Git settings:
1. Open Visual Studio
2. Go to Git > Settings > Git Global Settings
3. Change "Cryptographic Network Provider" from "Unset" to "Secure Channel"
Outdated CA certificates are a common cause of this error. Update your system's certificate store:
Ubuntu/Debian:
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificatesRHEL/CentOS/Fedora:
sudo yum update ca-certificates
# or on Fedora
sudo dnf update ca-certificates
sudo update-ca-trustmacOS:
# Homebrew users can update OpenSSL
brew update
brew upgrade opensslWindows:
- Run Windows Update to get the latest root certificates
- Or download updated certificates from Microsoft's Root Certificate Program
You can tell Git exactly which certificate bundle to use for SSL verification:
# Find where Git is looking for certificates
git config --list | grep -i ssl
# Set a specific CA bundle file
git config --global http.sslCAInfo "/path/to/ca-bundle.crt"Common CA bundle locations:
Git for Windows:
git config --global http.sslCAInfo "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt"Linux:
git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crtmacOS with Homebrew:
git config --global http.sslCAInfo $(brew --prefix)/etc/openssl@3/cert.pemIf you need to trust a specific certificate (like a corporate CA or self-signed certificate), add it to Git's certificate bundle:
Step 1: Export the certificate
# Extract certificate from the server
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/null | \
openssl x509 -outform PEM > server-cert.pem
# View certificate details
openssl x509 -in server-cert.pem -text -noout | head -20Step 2: Add to certificate bundle
On Windows, locate Git's ca-bundle.crt (typically in C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt) and append the certificate content.
On Linux/macOS:
# Append certificate to the bundle
cat server-cert.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
# Or create a dedicated file for custom certificates
sudo cp server-cert.pem /usr/local/share/ca-certificates/custom-ca.crt
sudo update-ca-certificatesIf you're behind a corporate proxy that intercepts HTTPS traffic, you need to install your company's root CA certificate:
Step 1: Get the corporate CA certificate
- Contact your IT department for the root CA certificate
- Or export it from your browser's certificate viewer
Step 2: Add to Git's trust store
Windows:
1. Import the certificate into Windows Certificate Store (Local Machine > Trusted Root Certification Authorities)
2. Configure Git to use Windows certificates:
git config --global http.sslBackend schannelLinux:
# Copy corporate CA to system store
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# Or configure Git directly
git config --global http.sslCAInfo /path/to/corporate-ca-bundle.crtVerify the proxy is intercepting:
# Check certificate issuer - if it's your company, proxy is intercepting
curl -v https://github.com 2>&1 | grep -i "issuer"SSL certificates have validity periods. If your system clock is wrong, valid certificates may appear expired or not yet valid:
# Check current system time
date
# On Linux, sync with NTP
sudo timedatectl set-ntp true
# Or manually set the time
sudo timedatectl set-time "2025-01-15 10:30:00"
# On Windows, sync time via Settings > Time & Language > Date & timeAfter correcting the time, retry your Git operation. This is especially common on virtual machines or systems that have been suspended for long periods.
Warning: This should only be used temporarily for debugging or in isolated development environments. Never use this in production or with sensitive repositories.
# Disable SSL verification for a single command
GIT_SSL_NO_VERIFY=true git clone https://example.com/repo.git
# Or configure Git to skip verification (NOT RECOMMENDED)
git config --global http.sslVerify false
# Disable for a specific repository only
git config http.sslVerify false
# Disable for a specific domain
git config --global http.https://example.com.sslVerify falseRe-enable SSL verification immediately after identifying the issue:
git config --global http.sslVerify trueThis bypasses certificate verification entirely, making your connection vulnerable to man-in-the-middle attacks. Use only to confirm the issue is SSL-related, then implement a proper fix.
Understanding certificate chains:
SSL certificates form a chain of trust: your server's certificate is signed by an intermediate CA, which is signed by a root CA. All certificates in the chain (except the server certificate itself) must be in your trust store. Use this command to view the full chain:
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/nullGit's SSL backend options:
- openssl - Uses OpenSSL library with bundled certificates (default on most systems)
- schannel - Uses Windows Secure Channel (Windows certificate store)
- secure-transport - Uses macOS Secure Transport (Keychain)
Check current backend:
git config --global http.sslBackendEnvironment variables that affect SSL:
- GIT_SSL_NO_VERIFY - If set to any value, disables SSL verification
- GIT_SSL_CAINFO - Path to CA certificate file
- GIT_SSL_CAPATH - Path to directory containing CA certificates
- SSL_CERT_FILE - Used by OpenSSL for certificate file location
- SSL_CERT_DIR - Used by OpenSSL for certificate directory
Debugging SSL issues:
# Verbose Git output showing SSL details
GIT_CURL_VERBOSE=1 git clone https://github.com/user/repo.git
# Test SSL connection directly
openssl s_client -connect github.com:443 -CAfile /path/to/ca-bundle.crt
# Check if certificate is valid
openssl verify -CAfile /path/to/ca-bundle.crt server-cert.pemFor CI/CD pipelines:
If you're seeing this error in CI/CD, ensure the build container has updated CA certificates:
# Dockerfile example
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y ca-certificates gitOr for Alpine-based images:
FROM alpine:3.18
RUN apk add --no-cache ca-certificates gitkex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git