What is the ‘ssl certificate problem unable to get local issuer certificate’ error?
The unable to get local issuer certificate
is a common issue faced by developers when trying to push, pull, or clone a git repository using Git Bash, a command-line tool specific to Windows.
Here are some common causes of the error:
- The Git server’s SSL certificate is self-signed or has been issued by the corporate Certificate Authority (CA). The issue with self-signed certificates is that the private key associated with them cannot be revoked, making it a security vulnerability.
- The error can also occur due to incorrect configuration for Git on your system or when using git inside Visual Studio Code (VS Code) terminal.
As a quick workaround, disable SSL validation either locally or globally. But this creates security issues so re-enable SSL as soon as possible
To resolve the error, you can try these steps (learn more below):
- Add certificate to trusted certificate store
- Reinstall Git and choose SSL transport backend option
- In VS Code, grant repository access to SSL certificates or reassign path
The unable to get local issuer certificate
error often occurs when the Git server’s SSL certificate is self-signed. The issue with self-signed certificates is that the private key associated with them cannot be revoked, making it a security vulnerability.
Alternatively, it can be due to incorrect configuration for Git on your system or when using git inside Visual Studio Code (VS Code) terminal.
This is part of a series of articles about Git Errors.
What causes ‘ssl certificate problem unable to get local issuer certificate’
The unable to get local issuer certificate
error is caused by the misconfiguration of the SSL certificate on your local machine. When pushing, pulling, or cloning, Git cannot verify your SSL certification, which leads to the error.
A valid HTTPS handshake requires both the client and the server to create a secure connection, allowing for safe communication between your local machine and where the source code is hosted. When the SSL certificate cannot be verified, for example because it is self-signed or issued by the corporate Certificate Authority (CA), Git cannot complete the HTTPS handshake with the server that hosts the repository.
When the unable to get local issuer certificate error
occurs in VS Code, it is often because Visual Studio cannot locate the SSL certificate. This may be due to the path being misconfigured on the local machine.
Tips from the expert
Itiel Shwartz
Co-Founder & CTO
In my experience, here are tips that can help you better handle SSL certificate issues with Git:
Use a dedicated SSL certificate management tool
Tools like Certbot automate the process of managing SSL certificates, ensuring they are always up to date.
Automate SSL updates with CI/CD pipelines
Integrate SSL certificate renewal processes within your CI/CD pipelines to avoid manual updates.
Leverage Kubernetes secrets for SSL certificates
Store and manage SSL certificates as Kubernetes secrets for better security and easier access.
Implement certificate transparency monitoring
Use certificate transparency logs to monitor and track SSL certificate issuance and changes.
Use a reverse proxy
Set up a reverse proxy (e.g., NGINX, HAProxy) to handle SSL termination and simplify SSL certificate management.
Try these steps to fix the ‘ssl certificate problem unable to get local issuer certificate’ error
Workaround
Disabling SSL certificate validation is not recommended for security purposes. However, it is a possible workaround for fixing the ssl certificate problem unable to get local issuer certificate error. Make sure to enable SLL as soon as possible.
You can disable SSL certificate validation locally in Git using the following command:
$ git -c http.sslVerify=false clone [URL]
You can also disable SSL certificate validation at a global level using the following command:
$ git config --global http.sslVerify false
To re-enable SSL certificate validation, use the following command:
$ git config --global http.sslVerify true
Resolution
1. Add certificate to trusted certificate store
When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store.
By default, the trusted certificate store is located in the following directory for Git Bash:
C:Program FilesGitmingw64sslcertsOpen the file ca-bundle.crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file. Once completed, save the file and run your git pull, push, or clone command.
2. Reinstall Git and choose SSL transport backend option
Another method for fixing the ssl certificate problem unable to get local issuer certificate
error is to reinstall Git and choose the SSL transport backend option during the installation process.
3. In VS Code, grant repository access to SSL certificates or reassign path
If the unable to get local issuer certificate error
occurs inside Visual Studio Code, you need to grant your repository access to the SSL certificates. To do this, git can be reconfigured with the --global
flag on your SSL certificate configuration. This will give the Git server accessibility to the required SSL certificate.
To do this, run the following command in the Terminal:
git config --global http.sslBackend schannel
Accessibility to SSL certificate verification can also be set at the system level. To do this, you must be running in administrator mode before executing the following command:
git config --system http.sslBackend schannel
If the unable to get local issuer certificate error
in Visual Studio Code is not due to accessibility but a location misconfiguration, this can be fixed by reassigning the path. This can be done through the following command:
git config --global http.sslcainfo "Path"
How to prevent ‘ssl certificate problem unable to get local issuer certificate’ errors
The main purpose of a SSL certificate is to confirm authentication so that the information passed between client and server is secure. When an unable to get local issuer certificate error
occurs, a secure connection cannot be established, and the git client rejects your attempt to push, pull, or clone a repository for security reasons.
While disabling SSL certificates altogether is an option and common fix, it is not recommended. It opens up a security vulnerability for your repository and your local machine. Nevertheless, you can negate the unable to get local issuer certificate error by disabling SSL certificates at a local and global level. If SSL certificates are disabled at a global level, it is good to always enable them again so that other projects are not impacted by the intentional security disablement.
To prevent the error, ensure that you have a valid SSL certificate in your certificate store. Alternatively, you can reinstall your Git Bash with SSL Transport backend selected during the installation process.
If you are using Git via Visual Studio Code and have a valid SSL certificate in your certificate store but still encounter the certificate problem
error, use the --global
flag on your SSL certificate configuration to grant the Git server accessibility.
Related content: Read our guide to git revert.
Kubernetes Troubleshooting With Komodor
We hope that the guide above helps you better understand the troubleshooting steps you need to take in order to fix the unable to get local issuer certificate
error.
Keep in mind that this is just one of many Git errors that can pop up in your k8s logs and cause the system to fail. Due to the complex and distributed nature of k8s, the search for the root cause of each such failure can be stressful, disorienting, and time-consuming.
Komodor is a Kubernetes troubleshooting platform that turns hours of guesswork into actionable answers in just a few clicks. Using Komodor, you can monitor, alert and troubleshoot incidents in your entire K8s cluster.
For each K8s resource, Komodor automatically constructs a coherent view, including the relevant deploys, config changes, dependencies, metrics, and past incidents. Komodor seamlessly integrates and utilizes data from cloud providers, source controls, CI/CD pipelines, monitoring tools, and incident response platforms.
- Discover the root cause automatically with a timeline that tracks all changes made in your application and infrastructure.
- Quickly tackle the issue, with easy-to-follow remediation instructions.
- Give your entire team a way to troubleshoot independently, without having to escalate.