Git can't verify the remote's SSL/TLS certificate because the signing Certificate Authority isn't in your trust store. Common in corporate proxy networks, with self-signed certs, or outdated CA bundles.
The "SSL certificate problem: unable to get local issuer certificate" error occurs when Git's SSL/TLS layer cannot complete the certificate verification chain. Every SSL certificate is signed by a Certificate Authority (CA), and your system maintains a list of trusted CAs. When Git connects to a remote server over HTTPS, it checks whether the server's certificate chains up to a CA in this trust store. This error indicates that the issuing CA certificate is missing from your system's trust store. This commonly happens in several scenarios: - **Corporate proxy environments** where security appliances intercept HTTPS traffic and re-sign certificates with a corporate CA - **Outdated system CA certificates** that don't include newer Certificate Authorities - **Self-signed certificates** used by private Git servers that aren't trusted by default - **Windows Git installations** that default to using a bundled certificate store instead of the Windows certificate store - **Network configurations** where intermediate certificates are not properly served by the remote server The underlying issue is that Git uses OpenSSL or the native TLS library to verify certificates, and the issuing CA's certificate must be present in the configured certificate store for verification to succeed.
On Windows, Git often uses its own bundled certificate store instead of the Windows system certificates. This is the most common cause of SSL errors on Windows systems, especially in corporate environments.
# Configure Git to use Windows Secure Channel (SChannel)
git config --global http.sslBackend schannelThis tells Git to use the Windows certificate store, which includes certificates installed by your IT department or added via Windows Update.
If you need to revert to the bundled OpenSSL certificates:
git config --global http.sslBackend opensslFor Visual Studio users, you can also configure this in Git settings:
1. Open Visual Studio
2. Go to Git > Settings > Git Global Settings
3. Change "Cryptographic Network Provider" from "Unset" to "Secure Channel"
Outdated CA certificates are a common cause of this error. Update your system's certificate store:
Ubuntu/Debian:
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificatesRHEL/CentOS/Fedora:
sudo yum update ca-certificates
# or on Fedora
sudo dnf update ca-certificates
sudo update-ca-trustmacOS:
# Homebrew users can update OpenSSL
brew update
brew upgrade opensslWindows:
- Run Windows Update to get the latest root certificates
- Or download updated certificates from Microsoft's Root Certificate Program
You can tell Git exactly which certificate bundle to use for SSL verification:
# Find where Git is looking for certificates
git config --list | grep -i ssl
# Set a specific CA bundle file
git config --global http.sslCAInfo "/path/to/ca-bundle.crt"Common CA bundle locations:
Git for Windows:
git config --global http.sslCAInfo "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt"Linux:
git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crtmacOS with Homebrew:
git config --global http.sslCAInfo $(brew --prefix)/etc/openssl@3/cert.pemIf verification still fails, you need to trust the issuing CA certificate (for example, a corporate root CA or the self-signed CA of a private Git server). Add the CA — not the server's leaf certificate — to your system trust store so it survives CA updates and is picked up by all tools.
Step 1: Identify and export the issuing CA
Inspect the chain the server presents and confirm which certificate is the issuer/root rather than the leaf:
# Show the full chain the server sends
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/nullIn the output, the first certificate (s: matching the hostname) is the server's leaf; the certificate(s) above it, ending in a self-signed root (where subject == issuer), are the CA(s) you must trust. In a corporate-proxy setup, export your organization's root CA from IT or your browser's certificate viewer instead of scraping it from the wire. Save the CA in PEM format as issuing-ca.crt.
Step 2: Install the CA into the system trust store
Do not edit /etc/ssl/certs/ca-certificates.crt (or /etc/pki/tls/certs/ca-bundle.crt) directly — those files are auto-generated by update-ca-certificates/update-ca-trust and your change would be wiped out on the next update. Drop the CA into the managed source directory instead:
Debian/Ubuntu:
# File must have a .crt extension and PEM contents
sudo cp issuing-ca.crt /usr/local/share/ca-certificates/issuing-ca.crt
sudo update-ca-certificatesRHEL/CentOS/Fedora:
sudo cp issuing-ca.crt /etc/pki/ca-trust/source/anchors/issuing-ca.crt
sudo update-ca-trust extractmacOS (system Keychain):
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain issuing-ca.crtWindows: Import the CA into the Local Machine > Trusted Root Certification Authorities store, then set git config --global http.sslBackend schannel so Git uses it.
If you cannot modify the system store, point Git at a dedicated bundle that includes the CA instead (see Step 3 with http.sslCAInfo), rather than appending to the system-managed file.
If you're behind a corporate proxy that intercepts HTTPS traffic, you need to install your company's root CA certificate:
Step 1: Get the corporate CA certificate
- Contact your IT department for the root CA certificate
- Or export it from your browser's certificate viewer
Step 2: Add to the trust store
Windows:
1. Import the certificate into the Windows Certificate Store (Local Machine > Trusted Root Certification Authorities)
2. Configure Git to use Windows certificates:
git config --global http.sslBackend schannelLinux:
# Install the corporate CA into the managed source directory (not the generated bundle)
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/corporate-ca.crt
sudo update-ca-certificates
# Or point Git directly at a bundle containing the CA
git config --global http.sslCAInfo /path/to/corporate-ca-bundle.crtVerify the proxy is intercepting:
# Check the certificate issuer - if it's your company, the proxy is intercepting
curl -v https://github.com 2>&1 | grep -i "issuer"SSL certificates have validity periods. If your system clock is wrong, valid certificates may appear expired or not yet valid:
# Check current system time
date
# On Linux, sync with NTP
sudo timedatectl set-ntp true
# Or manually set the time
sudo timedatectl set-time "2025-01-15 10:30:00"
# On Windows, sync time via Settings > Time & Language > Date & timeAfter correcting the time, retry your Git operation. This is especially common on virtual machines or systems that have been suspended for long periods.
Warning: Disabling SSL verification removes protection against man-in-the-middle attacks. Exhaust the secure options above (install the issuing CA, fix the CA bundle, sync the clock) first. Only use this to confirm the problem is SSL-related, in an isolated development environment, and never against production or sensitive repositories.
# Disable SSL verification for a single command only (preferred over global config)
GIT_SSL_NO_VERIFY=true git clone https://example.com/repo.git
# Disable for a specific repository only (scoped, not global)
git config http.sslVerify false
# Disable for a specific domain only
git config --global http.https://example.com/.sslVerify falseAvoid the blanket git config --global http.sslVerify false, which silently disables verification for every host and every future clone. If you set verification off anywhere, re-enable it as soon as you have a proper fix:
git config --global http.sslVerify true
# and remove any repo- or host-scoped overrides you added
git config --unset http.sslVerifyUnderstanding certificate chains:
SSL certificates form a chain of trust: your server's certificate (the leaf) is signed by an intermediate CA, which is signed by a root CA. To trust the connection, the issuing CA (intermediate and/or root) must be in your trust store — adding only the leaf certificate is not the correct fix. View the full chain with:
openssl s_client -showcerts -connect github.com:443 </dev/null 2>/dev/nullThe first certificate is the leaf; certificates where subject equals issuer are self-signed roots.
Git's SSL backend options:
- openssl - Uses the OpenSSL library with bundled certificates (default on most systems)
- schannel - Uses Windows Secure Channel (Windows certificate store)
- secure-transport - Uses macOS Secure Transport (Keychain)
Check the current backend:
git config --global http.sslBackendEnvironment variables that affect SSL:
- GIT_SSL_NO_VERIFY - If set to any value, disables SSL verification
- GIT_SSL_CAINFO - Path to CA certificate file
- GIT_SSL_CAPATH - Path to a directory containing CA certificates
- SSL_CERT_FILE - Used by OpenSSL for the certificate file location
- SSL_CERT_DIR - Used by OpenSSL for the certificate directory
Debugging SSL issues:
# Verbose Git output showing SSL details
GIT_CURL_VERBOSE=1 git clone https://github.com/user/repo.git
# Test the SSL connection directly against a specific CA bundle
openssl s_client -connect github.com:443 -CAfile /path/to/ca-bundle.crt
# Verify a certificate against a CA bundle
openssl verify -CAfile /path/to/ca-bundle.crt server-cert.pemFor CI/CD pipelines:
If you see this error in CI/CD, ensure the build container has updated CA certificates:
# Dockerfile example
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y ca-certificates gitOr for Alpine-based images:
FROM alpine:3.18
RUN apk add --no-cache ca-certificates gitTo add a corporate CA in CI, copy it into /usr/local/share/ca-certificates/ (Debian) or /etc/pki/ca-trust/source/anchors/ (RHEL) and run the update command, rather than baking GIT_SSL_NO_VERIFY into the pipeline.
ssh: Could not resolve hostname github.com: Name or service not known
How to fix 'ssh: Could not resolve hostname github.com: Name or service not known' in Git
error: insufficient permission for adding an object to repository database .git/objects
How to fix "insufficient permission for adding an object to repository database" in Git
fatal: could not create work tree dir 'repo': Permission denied
How to fix "could not create work tree dir: Permission denied" in Git
Smudge error: Error downloading object: The requested URL returned error
How to fix Git LFS 'Smudge error: Error downloading object' error
fetch-pack: unexpected disconnect while reading sideband packet
How to fix 'unexpected disconnect while reading sideband packet' in Git