Skip to main content Link Menu Expand (external link) Document Search Copy Copied
unable to get local issuer certificate

Git

Published on 2023-03-10

Table of contents

  1. What is it?
  2. Issue sample
  3. Windows
    1. Solution 1
    2. Solution 2
    3. Solution 3
  4. Linux
  5. Fix it in macOS

What is it?

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

Official Documentation

You can always check the general troubleshooting guide before continuing.

Issue sample

The error might look like this when using Git:

...
SSL Certificate problem: unable to get local issuer certificate.
...

Windows

The Git for Windows installation brings its own certificate store with it. Trusted certificates are located in the directory C:\Program Files\Git\mingw64\ssl\certs and are saved in file called ca-bundle.crt or ca-bundle.trust.crt. The files contain certificates in the pem - Base64 format.

Solution 1

You can insert your missing certificate at the end of those files. The drawback of that solution is that the file(s) get updated every time Git for Windows gets updated. You have to automate the solution above to update the certificate files on every update.

Solution 2

Another solution is to place a certificate store (crt) file somewhere in your user directory and insert your missing certificate in that file. Now you can use the following command to let Git use that file instead of its own:

git config --global http.sslCAInfo "%USERPROFILE%\<filepath to ca-trusted.crt>"

This can also be achieved by using the GIT_SSL_CAINFO environment variable to a filepath of a crt file.

This solution has a similar drawback. When certificates in the store file, which are not your own expire you have to update them in pem - Base64 format. But since certificate expiration is more rare than a Git update, this solution is little bit better.

Solution 3

All Git network traffic is performed by cURL. The cURL executable used by Git for Windows is can be found at the location C:\Program Files\Git\mingw64\bin\curl.exe. Git uses this cURL executable unless the PATH environment variable contains another path to a cURL executable with higher precedence. Since cURL version 7.60.0, the Windows native Secure Channel (schannel) is supported which can utilize the certificates located in the Windows Certificate Store. To check if your Git for Windows installation uses a compatible version run the following command:

"C:\Program Files\Git\mingw64\bin\curl.exe" --version

When the version is higher than 7.60.0 you can configure Git to use the schannel as the SSL-Backend by executing the following command:

git config --global http.sslBackend schannel

This solution has the benefit that no certificate files have to be managed which leaves the Windows Certificate Store as the single point of truth when it comes to certificate trust.

Documentation of git config
Documentation of Native Windows Certificate Verification (Schannel)

Linux

Depending on your Linux distribution, the trusted certificates can be located in different directories. So convert your certificate into pem - Base64 format and save it somewhere in your user directory. After that follow the guide here to put the certificate in right location for your Linux distribution.

If your Linux distribution bundles the trusted certificates in one file you can use the following git command to share this info with git:

git config --global http.sslCAInfo <path to pem/crt file>

Or if your Linux distribution stores the trusted certificates in separate file in a directory you can use the following git command:

git config --global http.sslCAPath <path to cert directory>

Alternatively you can set the GIT_SSL_CAINFO or GIT_SSL_CAPATH environment variable respectively. The documentation for the git configuration regarding certificate locations can be found here.

Fix it in macOS

Coming Soon…