Git Clone Error : unable to get local issuer certificate

Recently I was cloning an internal git repository and got the below error :
Git Clone Error : unable to get local issuer certificate
On linux (ubuntu) this error message was:
fatal: unable to access ‘https://***.git/’: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
After bit of google search, I tried few things and was able to solve it. I am noting down here steps for future use. It should not take more than 5 mins to solve.

Why part:

Before I go to the fix, first it needs to be understood why this error came in first place.
Git comes by default with some predefined ca-bundle. So these will be the list of CAs (Certificate Authorities) git will be trusting while making the SSL connection to the git repository. While most of the public repository will have their SSL certificate signed by known CA. Internal repository had self-signed certificate.
Since it was self-signed certificate, it’s CA was not in git’s trusted CA list, so git refused to trust the SSL connection and dropped the request there and then.


Export certificate in PEM format from the browser

Open the repository your are trying to access in browser. I used mozilla firefox. On the top left corner of firefox, there will be a lock button.
Click on lock button -> click on arrow(>) -> More information .
From there Securty -> View Certificate -> Details -> Export Certificate.
While exporting certificate select format : X.509 certificate with chain (PEM)  and save it at some known location.

Find the ca-bundles file location used by git

It is generally located at : ${git_home_directory}mingw64/ssl/certs/ca-bundle.crt
You can find out actual path by executing the command : git config –list
Look for the line starting with http.sslcainfo , on my machine it was :
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

On ubuntu the path is /etc/ssl/certs/ca-certificates.crt .. It is also shown in the error message.

Copy the exported certificate into ca-bundle

Open the certificate you exported from browser in notepad or similar text tool. Copy everything, including — BEGIN CERTIFICATE — till — END CERTIFICATE —
Open the ca-bundle file (ca-bundles.crt) file and in the end paste all copied content.
Save the ca-bundle file.

Now restart your terminal and try whatever git command you were trying and it should work !! Bingo !! Enjoy !!

Leave a Reply