SSL certificate problem: Unable to get local issuer certificate

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud, Server, and Data Center - This article applies equally to all platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

The following is seen on the command line when pushing or pulling:

SSL Certificate problem: unable to get local issuer

Cause

There are two potential causes that have been identified for this issue.

  1. A Self-signed certificate cannot be verified. 
  2. Default GIT crypto backend (Windows clients)

Resolution

Resolution #1 - Self Signed certificate

Workaround

Tell git to not perform the validation of the certificate using the global option:

git config --global http.sslVerify false

(warning) Please be advised disabling SSL verification globally might be considered a security risk and should be implemented only temporarily


Resolution - Client Side

Please notice that we refer to the Certificate Authority in this article by the acronym CA. 

There are several ways this issue has been resolved previously. Below we suggest possible solutions that should be run on the client side:

  1.  Ensure the root cert is added to git.exe's certificate store. The location of this file will depend on how/where GIT was installed. For instance, the trusted certificate store directory for Git Bash is C:\Program Files\Git\mingw64\ssl\certs. This is also discussed on this Microsoft blog.

  2. Tell Git where to find the CA bundle, either by running:

    git config --system http.sslCAPath /absolute/path/to/git/certificates


    where /absolute/path/to/git/certificates  is the path to where you placed the file that contains the CA certificate(s).

    or by copying the CA bundle to the /bin  directory and adding the following to the gitconfig file:

    sslCAinfo = /bin/curl-ca-bundle.crt
  3. Reinstall Git.

  4. Ensure that the complete certificate chain is present in the CA bundle file, including the root cert.


Resolution - Server Side

This issue can also happen on configurations where Bitbucket Server is secured with an SSL-terminating connector rather than a proxy

  1. Ensure that the Java KeyStore has the entire certificate chain (Intermediate CA and Root CA) 
    • View the Certificate Chain Details inside the KeyStore using a tool like the KeyStore Explorer to check

Resolution #2 - Default GIT crypto backend

When using Windows, the problem resides that git by default uses the "Linux" crypto backend, so the GIT operation may not complete occasionally. Starting with Git for Windows 2.14, you can configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. To do that, just run the following command in the GIT client:

git config --global http.sslbackend schannel

This means that it will use the Windows certificate storage mechanism and you don't need to explicitly configure the curl CA storage (http.sslCAInfo) mechanism.


Description

The following is seen on the command line when pushing or pulling: SSL Certificate problem: unable to get local issuer. This error occurs when a self-signed certificate cannot be verified. 

ProductBitbucket
PlatformServer
Last modified on Dec 23, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.