How to Fix Git SSL Certificate Issues: A Complete Troubleshooting Guide

The errors of Git SSL certificates may put your development process to a full stop. Trying to clone, pull, push or fetch something on a remote repository, you are faced with an issue concerning the SSL certificate. This is because Git is unable to connect with the server in a secure way. This step-by-step guide gives you an understanding of these errors, their underlying causes and the real ways in which they can be resolved so that you get back on track within a shorter time.

Understanding Git SSL Certificate Problems

When connecting to a remote Git repository over HTTPS, Git uses SSL/TLS certificates to encrypt your connection and verify the identity of the remote server. Through these certificates, you can be sure that you are communicating with the genuine server, and the information is secure in transit. Git also displays an error when it is unable to recognize an SSL certificate and refuses to continue with the operation.

Common SSL Certificate Error Messages

The most frequent SSL certificate errors you’ll encounter in Git include:

• SSL certificate problem: unable to get local issuer certificate, your system cannot find or verify the Certificate Authority (CA) that issued the server’s certificate.
• SSL certificate problem: self-signed certificate – The server is using a certificate that wasn’t issued by a trusted CA.
• SSL certificate problem: certificate has expired – The server SSL certificate or a certificate in your system’s trust store has passed its validity date.
• schannel: failed to receive handshake, SSL/TLS connection failed – Windows Secure Channel couldn’t complete the SSL handshake.
• Certificate signed by unknown authority – A CA issued the certificate that your system doesn’t trust.
• Unable to verify the first certificate – The server is presenting an incomplete certificate chain.

Root Causes of Git SSL Certificate Issues

Understanding why these errors occur helps you choose the right solution. The primary causes include:

Outdated CA Certificate Bundles – Git relies on your system’s certificate store to verify SSL certificates. If your certificates are outdated, Git won’t trust newer certificates from remote servers.

Self-Signed Certificates – Private or internal Git servers often use self-signed certificates that aren’t automatically trusted by your system.

Corporate Proxy/Firewall SSL Interception – Many organizations implement SSL inspection that decrypts and re-encrypts HTTPS traffic, replacing the original certificate with the company’s own certificate.

Incorrect System Date and Time – SSL certificates are time-sensitive. An incorrect system clock can cause valid certificates to appear expired or not yet valid.

Expired Certificates – Both server certificates and root CA certificates can expire, causing verification failures.

Misconfigured Git SSL Settings – Incorrect Git configuration options related to SSL can prevent successful certificate verification.

Step 1: Verify Your Remote Repository URL

Before diving into SSL debugging, confirm that your repository URL is correct. An incorrect URL might cause Git to connect to the wrong server entirely.

Check your remote URL by running:

git remote -v

This command displays the fetch and push URLs for your repository. Ensure the URL uses https:// and points to the correct server. If the URL is incorrect, update it with:

git remote set-url origin <correct-repo-url>

Replace <correct-repo-url> with the proper HTTPS URL for your repository.

Step 2: Update Your System’s CA Certificates

One of the most frequent reasons for failure in the verification of the SSL is due to the outdated certificates issued by the CA. Maintaining them will make sure that your system has the ability can trust the certificates that are issued by existing Certificate Authorities.

For Windows Users

Option A: Use Windows Certificate Store (Recommended)

Windows: The best option that Windows users can use is to set Git to use the Windows Secure Channel (SChannel) backend, which utilizes the Windows Certificate Store rather than a third-party CA bundle:

git config --global http.sslBackend schannel

This single command tells Git to use Windows’ built-in certificate management, automatically trusting the same certificates that your browser and other Windows applications trust.

Option B: Update Git for Windows

Updating Git for Windows installs the latest CA certificates bundle. Run this command in Git Bash:

git update-git-for-windows

Alternatively, download and install the latest version:

official Git website

Option C: Manually Update CA Bundle

1. Download the latest CA certificates bundle from curl’s official website: https://curl.se/ca/cacert.pem
2. Save the file as ca-bundle.crt in your Git installation directory (typically C:\Program Files\Git\usr\ssl\)
3. Configure Git to use this bundle:

git config --global http.sslCAinfo "C:/Program Files/Git/usr/ssl/ca-bundle.crt"

For macOS Users

Update your CA certificates using Homebrew:

brew install ca-certificates

To add a specific certificate to the system keychain:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/certificate.crt

For Linux Users

The command varies by distribution:

Ubuntu/Debian:

sudo apt-get update

sudo apt-get install --reinstall ca-certificates

sudo update-ca-certificates

CentOS/RHEL/Fedora:

sudo yum reinstall ca-certificates

# or for Fedora

sudo dnf install ca-certificates

sudo update-ca-trust extract

Arch Linux:

sudo pacman -Sy ca-certificates-utils

trust extract-compat

After updating certificates, verify Git can access them by checking the configuration:

git config --get http.sslCAinfo

Step 3: Handle Self-Signed Certificates

When working with private or internal Git servers that use self-signed certificates, you need to explicitly tell Git to trust these certificates.

Export the Certificate from the Server

Use OpenSSL to download the server’s certificate:

bash

openssl s_client -connect your-git-server.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > git-server-cert.pem

Replace your-git-server.com with your Git server’s domain or IP address.

Add the Certificate to Your System’s Trust Store

For macOS/Linux:

sudo cp git-server-cert.pem /usr/local/share/ca-certificates/

sudo update-ca-certificates

For Windows:

1. Press Windows + R, type certmgr.msc, and press Enter
2. Navigate to “Trusted Root Certification Authorities” > “Certificates”
3. Right-click, select “All Tasks” > “Import”
4. Follow the wizard to import your .pem or .crt certificate file

Configure Git to Use the Certificate

After adding the certificate to your trust store, point Git to it:

git config --global http.sslCAinfo /path/to/git-server-cert.pem

For repository-specific configurations (recommended when dealing with a single internal server):

bash

git config http."https://your-git-server.com/".sslCAInfo /path/to/git-server-cert.pem

Step 4: Fix Corporate Environment SSL Interception Issues

Within corporate settings, the security teams tend to install the form of an SSL inspection (also known as SSL interception or HTTPS inspection) at the firewall level. This operation encrypts, monitors and decrypts all the traffic of HTTPS with the help of its certificate.

Understanding the Problem

When SSL inspection is active:

1. Your company’s firewall intercepts the HTTPS connection
2. The firewall decrypts the traffic and inspects it
3. The firewall re-encrypts the traffic using a company-issued certificate
4. Git receives this company certificate instead of the original server certificate
5. Git doesn’t trust the company certificate, causing the error

The Solution

Step 1: Obtain Your Company’s Root Certificate

Contact your IT department and request the corporate root certificate. They might call it:

• SSL inspection certificate
• HTTPS inspection certificate
• Corporate root CA certificate

Step 2: Install the Certificate

On Windows:

bash

# Add the certificate to Windows Certificate Store

certutil -addstore -f "ROOT" company-root-cert.crt

# Configure Git to use Windows Certificate Store

git config --global http.sslBackend schannel

On Linux:

# Copy certificate to the trust store directory

sudo cp company-root-cert.crt /usr/local/share/ca-certificates/

# Update the certificate trust

sudo update-ca-certificates

# Point Git to the updated certificate bundle

git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

On macOS:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain company-root-cert.crt

Step 5: Check Your System’s Date and Time

SSL certificates have strict validity periods. If your system clock is significantly off, valid certificates may appear expired or not yet valid.

Sync Your System Clock

For macOS/Linux:

sudo ntpdate pool.ntp.org

Or use timedatectl on systemd-based systems:

sudo timedatectl set-ntp true

For Windows:

1. Right-click the clock in the taskbar
2. Select “Adjust date/time”
3. Toggle “Set time automatically” on
4. Click “Sync now”

Step 6: Temporarily Disable SSL Verification (Use with Extreme Caution)

If you need a quick fix for testing purposes, you can temporarily disable SSL verification. Warning: This bypasses security protections and makes your connection vulnerable to man-in-the-middle attacks. Never use this as a permanent solution.

Disable Globally (Temporary Testing Only)

git config --global http.sslVerify false

Re-enable SSL Verification Immediately After Testing

git config --global http.sslVerify true

Disable for a Single Command

GIT_SSL_NO_VERIFY=true git clone https://example.com/repo.git

Disable for a Specific Repository Only

Navigate to the repository directory and run:

git config http.sslVerify false

This limits the security bypass to just one repository rather than affecting all Git operations.

Disable for a Specific Host Only

A safer approach is to disable verification only for a specific server:

git config --global http.https://your-problematic-server.com/.sslVerify false

Alternative Solution: Switch to SSH

In case HTTPS still has issues, it is recommended to use SSH in the Git operations. SSH offers secure encryption and authentication without using SSL certificates.

Advantages of SSH

• No SSL certificate verification required
• More secure authentication via SSH keys
• No need to enter credentials for each operation once configured
• Works even when SSL inspection causes issues

Set Up SSH for Git

1. Generate an SSH key pair:

ssh-keygen -t ed25519 -C "[email protected]"

2. Add the SSH key to your SSH agent:

eval "$(ssh-agent -s)"

ssh-add ~/.ssh/id_ed25519

3. Copy the public key and add it to your Git hosting service (GitHub, GitLab, Bitbucket, etc.):

cat ~/.ssh/id_ed25519.pub

4. Clone repositories using the SSH URL:

git clone [email protected]:username/repository.git

5. Update existing repositories to use SSH:

git remote set-url origin [email protected]:username/repository.git

Best Practices for Avoiding SSL Certificate Issues

Following these practices helps prevent SSL certificate problems in the future:

Keep Git Updated – Newer Git versions include updated CA certificate bundles and improved SSL handling. Regularly update Git on all development machines.

Maintain Updated System Certificates – Set up automatic certificate updates on your operating system to ensure your CA trust store stays current.

Never Permanently Disable SSL Verification – While disabling verification provides a quick fix, it exposes your credentials and code to potential attacks. Always address the root cause.

Use Complete Certificate Chains – When deploying private Git servers, ensure you configure the complete certificate chain, including intermediate certificates.

Document Corporate Certificate Requirements – In corporate environments, document the process for installing company root certificates so new team members can quickly configure their systems.

Verify Server Certificates – Before adding certificates to your trust store, verify their authenticity through your IT department or server administrators.

Monitor Certificate Expiration – Set up monitoring for certificate expiration dates on your Git servers to prevent unexpected outages.

Troubleshooting Checklist

If you’re still experiencing issues after trying the solutions above, work through this checklist:

1. Verify connectivity – Can you ping the Git server? Is the server accessible?
2. Check firewall rules – Is port 443 (HTTPS) or port 22 (SSH) blocked?
3. Test with curl – Run curl -v https://your-git-server.com to see detailed SSL information
4. Review Git config – Run git config –list to check all SSL-related settings.
5. Check proxy settings – Verify that http.proxy and https.proxy are correctly configured if you’re behind a proxy.
6. Test in a clean environment – Try the operation from a different network or machine to isolate the issue

Conclusion

Although annoying, the problem of GitSSL certificates is quite easy to fix as soon as you are aware of the reasons behind it. The best ways are to renew your CA certificates, set Git to use your systems certificate store or correctly trust self-signed certificates.

In corporate environments where SSL inspection is common, obtaining and installing the company’s root certificate is essential for seamless Git operations.

While disabling SSL verification can serve as a quick workaround for testing, it should never be used as a permanent solution due to significant security risks. For persistent HTTPS issues, switching to SSH provides a robust alternative that bypasses SSL certificate requirements entirely.

By following the steps outlined in this guide and maintaining proper certificate hygiene, you can ensure secure and reliable Git operations across all your development environments.

About the writer

Hassan Tahir wrote this article, drawing on his experience to clarify WordPress concepts and enhance developer understanding. Through his work, he aims to help both beginners and professionals refine their skills and tackle WordPress projects with greater confidence.