Windows git ssl certificate problem unable to get local issuer certificate

Problem

The following is seen on the command line when pushing or pulling:

SSL Certificate problem: unable to get local issuer

Cause

There are two potential causes that have been identified for this issue.

1. A Self-signed certificate cannot be verified. 
2. Default GIT crypto backend (Windows clients)

Resolution

Resolution #1 — Self Signed certificate

Workaround

Tell git to not perform the validation of the certificate using the global option:

git config --global http.sslVerify false

 Please be advised disabling SSL verification globally might be considered a security risk and should be implemented only temporarily

Resolution — Client Side

There are several ways this issue has been resolved previously. Below we suggest possible solutions that should be run on the client side:

1.  Ensure the root cert is added to git.exe’s certificate store. The location of this file will depend on how/where GIT was installed. For instance, the trusted certificate store directory for Git Bash is C:Program FilesGitmingw64sslcerts. This is also discussed on this Microsoft blog.

2. Tell Git where to find the CA bundle, either by running:

   git config --system http.sslCAPath /absolute/path/to/git/certificates

   where /absolute/path/to/git/certificates  is the path to where you placed the file that contains the CA certificate(s).

   or by copying the CA bundle to the /bin  directory and adding the following to the gitconfig file:

   sslCAinfo = /bin/curl-ca-bundle.crt

3. Reinstall Git.

4. Ensure that the complete certificate chain is present in the CA bundle file, including the root cert.

Resolution — Server Side

This issue can also happen on configurations where Bitbucket Server is secured with an SSL-terminating connector rather than a proxy

1. Ensure that the Java KeyStore has the entire certificate chain (Intermediate CA and Root CA) 
   • View the Certificate Chain Details inside the KeyStore using a tool like the KeyStore Explorer to check

Resolution #2 — Default GIT crypto backend

When using Windows, the problem resides that git by default uses the «Linux» crypto backend, so the GIT operation may not complete occasionally. Starting with Git for Windows 2.14, you can configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. To do that, just run the following command in the GIT client:

git config --global http.sslbackend schannel

This means that it will use the Windows certificate storage mechanism and you don’t need to explicitly configure the curl CA storage (http.sslCAInfo) mechanism.

What is the ‘ssl certificate problem unable to get local issuer certificate’ error

The unable to get local issuer certificate is a common issue faced by developers when trying to push, pull, or clone a git repository using Git Bash, a command-line tool specific to Windows.

The unable to get local issuer certificate error often occurs when the Git server’s SSL certificate is self-signed. The issue with self-signed certificates is that the private key associated with them cannot be revoked, making it a security vulnerability.

Alternatively, it can be due to incorrect configuration for Git on your system or when using git inside Visual Studio Code (VS Code) terminal.

What causes ‘ssl certificate problem unable to get local issuer certificate’

The unable to get local issuer certificate error is caused by the misconfiguration of the SSL certificate on your local machine. When pushing, pulling, or cloning, Git cannot verify your SSL certification, which leads to the error.

A valid HTTPS handshake requires both the client and the server to create a secure connection, allowing for safe communication between your local machine and where the source code is hosted. When the SSL certificate cannot be verified, Git cannot complete the HTTPS handshake with the server that hosts the repository.

When the unable to get local issuer certificate error occurs in VS Code, it is often because Visual Studio cannot locate the SSL certificate. This may be due to the path being misconfigured on the local machine.

How can you fix ‘ssl certificate problem unable to get local issuer certificate errors’

When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store.

By default, the trusted certificate store is located in the following directory for Git Bash:

C:Program FilesGitmingw64sslcerts

Open the file ca-bundle.crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file. Once completed, save the file and run your git pull, push, or clone command.

Disabling SSL certificate validation is not recommended for security purposes. However, it is an option for fixing the ssl certificate problem unable to get local issuer certificate error.

You can disable SSL certificate validation locally in Git using the following command:

$ git -c http.sslVerify=false clone [URL]

You can also disable SSL certificate validation at a global level using the following command:

$ git config --global http.sslVerify false

To re-enable SSL certificate validation, use the following command:

$ git config --global http.sslVerify true

Another method for fixing the ssl certificate problem unable to get local issuer certificate error is to reinstall Git and choose the SSL transport backend option during the installation process.

If the unable to get local issuer certificate error occurs inside Visual Studio Code, you need to grant your repository access to the SSL certificates. To do this, git can be reconfigured with the --global flag on your SSL certificate configuration. This will give the Git server accessibility to the required SSL certificate.

To do this, run the following command in the Terminal:

git config --global http.sslBackend schannel

Accessibility to SSL certificate verification can also be set at the system level. To do this, you must be running in administrator mode before executing the following command:

git config --system http.sslBackend schannel

If the unable to get local issuer certificate error in Visual Studio Code is not due to accessibility but a location misconfiguration, this can be fixed by reassigning the path. This can be done through the following command:

git config --global http.sslcainfo "Path"

How to prevent ‘ssl certificate problem unable to get local issuer certificate’ errors

The main purpose of a SSL certificate is to confirm authentication so that the information passed between client and server is secure. When an unable to get local issuer certificate error occurs, a secure connection cannot be established, and the git client rejects your attempt to push, pull, or clone a repository for security reasons.

While disabling SSL certificates altogether is an option and common fix, it is not recommended. It opens up a security vulnerability for your repository and your local machine. Nevertheless, you can negate the unable to get local issuer certificate error by disabling SSL certificates at a local and global level. If SSL certificates are disabled at a global level, it is good to always enable them again so that other projects are not impacted by the intentional security disablement.

To prevent the error, ensure that you have a valid SSL certificate in your certificate store. Alternatively, you can reinstall your Git Bash with SSL Transport backend selected during the installation process.

If you are using Git via Visual Studio Code and have a valid SSL certificate in your certificate store but still encounter the certificate problem error, use the --global flag on your SSL certificate configuration to grant the Git server accessibility.

Kubernetes Troubleshooting With Komodor

We hope that the guide above helps you better understand the troubleshooting steps you need to take in order to fix the unable to get local issuer certificate error.

Keep in mind that this is just one of many Git errors that can pop up in your k8s logs and cause the system to fail. Due to the complex and distributed nature of k8s, the search for the root cause of each such failure can be stressful, disorienting, and time-consuming.

Komodor is a Kubernetes troubleshooting platform that turns hours of guesswork into actionable answers in just a few clicks. Using Komodor, you can monitor, alert and troubleshoot incidents in your entire K8s cluster.

For each K8s resource, Komodor automatically constructs a coherent view, including the relevant deploys, config changes, dependencies, metrics, and past incidents. Komodor seamlessly integrates and utilizes data from cloud providers, source controls, CI/CD pipelines, monitoring tools, and incident response platforms.

• Discover the root cause automatically with a timeline that tracks all changes made in your application and infrastructure.
• Quickly tackle the issue, with easy-to-follow remediation instructions.
• Give your entire team a way to troubleshoot independently, without having to escalate.

First published on MSDN on Dec 19, 2016



One of the most common issue with TFS/GIT users come across is the issue caused by self-signed certificates or the corporate certificates.


Error: SSL certificate problem: unable to get local issuer certificate

This Applied to:

TFS 2015 update 3



Git 2.10.0



Android studio 2.1.2



Java 1.7.45

We used Android studio and VSTS/TFS plugin to clone a GIT repository, we faced issues in retrieving the local issuer certificate. These are certificates that have not been signed by a known trusted certificate authority. The problem is that GIT/JAVA will not accept this certificate automatically. We need to force GIT/JAVA to accept the self-signed certificates.

Let’s now consider how to go about with the resolution,

Initially, we faced issues with TFS authentication,

Unable to authenticate to TFS ‘https://server:8080/tfs». verify access to the server URL and try ‘Connect…’ again.

Very often this error can be interpreted to be the result of self-signed certificate.  If the certificate in use is Self-signed or any other certificate that is private to the internal network. Java doesn’t trust such certificates and for which, we can

import the cert

into the trust store and make it to work.

The link explains how the certificate import works in a Linux machine (which is also applicable for Windows).

the “

keytool

” is under “

<JAVA_HOME>binkeytool.exe

”, and

the “

cacerts

” trust store is under “

<JAVA_HOME>jrelibsecuritycacerts

”.

<JAVA_HOME>

should be the

jre/jdk installation

used by IntelliJ.

This should have resolved the above TFS connectivity failure.

Note:

If you are using self-signed certificate, you may not be able to connect to TFS from the plugin

Error message:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name ‘server’ does not match the certificate subject provided by the peer (CN=server.corp.fabricam.com)

Providing the complete FQDN(

https://server.corp.fabricam.com/tfs

) instead of the server or the machine name (

https://server/tfs

) is mandatory as the canonical name is set to map to the FQDN.

After getting past the connectivity issue, there are instances in which we get error like the one below:

SSL certificate problem: unable to get local issuer certificate

In the android logs,

#git4idea.commands.GitHandler — fatal: unable to access ‘

https://server/tfs/DefaultCollection/_git/gitRepo/

‘: SSL certificate problem: unable to get local issuer certificate

Exception : javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:498)

at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:225)

at org.glassfish.jersey.client.JerseyInvocation$1.call(JerseyInvocation.java:655)

at org.glassfish.jersey.client.JerseyInvocation$1.call(JerseyInvocation.java:652)

at org.glassfish.jersey.internal.Errors.process(Errors.java:315)

at org.glassfish.jersey.internal.Errors.process(Errors.java:297)

at org.glassfish.jersey.internal.Errors.process(Errors.java:228)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:423)

at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:652)

at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:387)

at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:291)

at com.microsoft.alm.plugin.context.rest.VstsHttpClient.sendRequest(VstsHttpClient.java:30)

at com.microsoft.alm.plugin.context.ServerContextManager.checkTfsVersionAndConnection(ServerContextManager.java:257)

atcom.microsoft.alm.plugin.context.ServerContextManager.validateServerConnection(ServerContextManager.java:206)              at com.microsoft.alm.plugin.context.ServerContextManager.validateServerConnection(ServerContextManager.java:171)

at com.microsoft.alm.plugin.idea.common.services.CredentialsPromptImpl.validateCredentials(CredentialsPromptImpl.java:68)

atcom.microsoft.alm.plugin.authentication.TfsAuthenticationProvider$TfsAuthenticator.run(TfsAuthenticationProvider.java:100)

There are 2 methods of dealing with this issue.

1.Disable SSL verification using below command,

git config —global http.sslVerify false

NOTE:



If you disable SSL certificates verification, then you are susceptible to Man in middle attacks.

2.The preferred method is import certificate authority (CA) to trusted certificate authority store.

If we can verify that disabling SSL verification works, then this article may help:

https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certific…

But, in case if the article doesn’t help,

Try exporting the certificate in all the levels again, following the instructions on the blog.

Test certificates with curl.exe, to check if the SSL handshake is successful.

«c:Program FilesGitmingw64bincurl.exe» -v

https://server-name

-cacert c:pathtocertfile.cer

Now, import the certificate into the Git.exe cert store as we did before (also from blog). After importing the certificate, GIT clone’s files from the master branch.

For the complete encryption and the decryption, import the certificate into the Java cert store for Android Studio.

JRE that is now packaged with Android Studio 2.2. You can find it at the root of the Android Studio folder. “C:program filesAndroidAndroid Studiojre”

Hope this helps!

Content:

Ramandeep Singh


Review:

Romit Gulati

Quick step by step to fix SSL certificate problem: Unable to get local issuer certificate error.

Have you experienced the ‘SSL certificate problem unable: to get local issuer certificate’ problem while attempting to move from HTTP to HTTPS? We know how overwhelming it can be to deal with this issue but don’t let that frighten you. Here, we can help you fix it with this piece of writing and don’t make the wrong decisions like uninstalling your SSL certificate.

Regardless of which error pops up or the complexities involved in fixing it, never uninstall your SSL Certificate to get rid of SSL errors as doing that could prove to be fatal and expose you to serious security risks. Always remember that your SSL certificate protects the communication exchanged between the server and the browser, which prevents data interception of a third party.

Even, data privacy laws are getting stricter by the day, and therefore, you cannot make the unwise decision to uninstall your SSL. So, your only option is to get to the bottom of the ‘unable to get local issuer certificate’ error and fix it.

Before we help you do that, let us figure out how an SSL Certificate works and why it shows up the ‘curl: (60) SSL certificate problem: unable to get local issuer certificate’ or the ‘git SSL certificate problem unable to get local issuer certificate’ errors.

Why SSL Certificate Problem: Unable to get Local Issuer Certificate Error Happen?

Your SSL certificate’s primary purpose is to confirm authentication and ensure a secure exchange of information between the server and the client by referring to the HTTPS protocol. That is only possible when you have a working root certificate that is either directly or indirectly signed by a Certificate Authority. However, the error unable to get local issuer certificate’ occurs when the root certificate is not working properly especially when an SSL client makes an HTTPS request and during this, the client has to share an SSL certificate for identity verification.

Therefore, you need to take the necessary actions required to help bridge the gap.

How to Fix SSL Certificate Problem: Unable to get Local Issuer Certificate?

Now that we know the reasons for the ‘unable to get local issuer certificate’ glitch, it’s time to act. You could be experiencing this glitch due to many reasons, and those reasons could vary from software interfering in the SSL/TSL session or your Git application. Once you identify the cause, it becomes a whole lot easier to fix it. If you are unable to do that, then we recommend that you try out all the fixes one after another and something will work.

Unverified Self-signed SSL Certificate

Anyone can sign an SSL certificate by generating a signing key; however, the OS and the Web Browser may not be able to identify that. This could be the reason why you see the ‘SSL certificate problem: unable to get local issuer certificate’ or the ‘curl: (60) SSL certificate problem: unable to get local issuer certificate’ error.

Solution – Buy an SSL Certificate that is authenticated by a reputed certificate Authority and install it.

Alter the php.ini file to solve ‘unable to get local issuer certificate’

Log in to your web control panel such as cPanel and locate the file manager. You will then find the PHP software, and inside that, you can find the php.ini file that you need to edit. Follow the below-mentioned steps.

Change Php.ini

• Click on http://curl.haxx.se/ca/cacert.pem and download cacert.pem.
• After that, copy cacert.pem to openssl/zend, like ‘/usr/local/openssl-0.9.8/certs/cacert.pem’.
• Finally, navigate to the php.ini file, modify CURL. Add “cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’” to modify it.
• Restart PHP
• Confirm if CURL can now read the HTTPS URL.

Without Altering php.ini file

Use the code given below:

$ch = curl_init();
$certificate_location = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’;
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);

Git Users

Most Git users experience the ‘SSL certificate problem: unable to get local issuer certificate’ or the ‘git SSL certificate problem unable to get local issuer certificate’ error at some point in time. If you have encountered it, then there are two ways of solving this — the first one is a permanent fix and the second one is a temporary fix, which we shall discuss below.

Permanent Fix

If you are a Git user-facing the ‘git SSL certificate problem unable to get local issuer certificate’ error, then you need to tell Git where the CA bundle is located.

To help Git find the CA bundle, use the below-mentioned command:

git config –system http.sslCAPath /absolute/path/to/git/certificates

Temporary Fix

To temporarily fix the ‘SSL certificate problem: unable to get local issuer certificate’ error, you could disable the verification of your SSL certificate. However, we recommend that you use it sparingly as it could lower your website’s security.

Use the following command to disable the verification of your SSL certificate:

git config –global http.sslVerify false

If neither of the two options work, consider removing and reinstalling Git.

Conclusion:

We are confident that one of the above ‘SSL certificate problem: unable to get local issuer certificate’ error fixes would work for you. Finally, we strongly recommend that you entirely avoid removing your SSL certificate. Your website needs to be protected, and one of your most robust defenses is an active SSL certificate.

Related SSL Errors:

• ERR_CONNECTION_REFUSED
• Secure Connection Failed in Firefox
• NET::ERR_CERT_AUTHORITY_INVALID
• ERR_SSL_VERSION_INTERFERENCE
• ERR_SSL_PROTOCOL_ERROR