Git Clone Fails: Server Certificate Verification Failed

github: server certificate verification failed

2016: Make sure first that you have certificates installed on your Debian in /etc/ssl/certs.

If not, reinstall them:

sudo apt-get install --reinstall ca-certificates

Since that package does not include root certificates, add:

sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates

Make sure your git does reference those CA:

git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

---

Jason C mentions another potential cause (in the comments):

It was the clock. The NTP server was down, the system clock wasn't set properly, I didn't notice or think to check initially, and the incorrect time was causing verification to fail.

Certificates are time sensitive.

---

2022: Auspex adds in the comments:

ca-certificates does indeed contain root certificates.

It doesn't contain the CAcert root certificates.

This might have been a good answer 6 1/2 years ago, but those certificates were suspect way back then and haven't improved.

There's a reason they're not in the ca-certificates package.

These days we have LetsEncrypt, so everyone has certificates with reliable auditing and nobody needs to rely on CAcert.

Cant clone repo. Server certificate verification failed

git clone https://git.lighttpd.net/mirrors/libev.git works for me (without GIT_SSL_NO_VERIFY=1) on Fedora 34. Perhaps you need to upgrade your git package, or the cacerts package on Ubuntu 20.04?

As an aside, lighttpd supports numerous native OS event frameworks, so using lighttpd with libev is unnecessary (and often slightly slower) than allowing lighttpd to directly use the native OS event framework.

Edit: lighttpd.net admin noticed that OCSP status for site certificate had expired and a script was not updating it. This has been corrected server-side.

Git Clone Fails: Server Certificate Verification Failed

Ok, I found the solution...
I guess a script (I hadn't looked at) ran on my computer which ran the line

git config --global http.sslVerify true

So the solution was simply to change run

git config --global http.sslVerify false

Heh...

fatal: unable to access 'https://xxxx.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Probably you don't have a trusted TLS¹ certificate in the server where you're hosting your GitLab instance.

Personally I would recommend you that you use trusted certificates, since the ones from Let's Encrypt are totally free, but in any case you can disable TLS¹ verification for a single command:

git -c http.sslVerify=false push origin -u

Or (don't do that and use trusted cerficates) disable it at all for all the repositories:

git config --global http.sslVerify false

_{*1: TLS is new (not so new) replacement for SSL.}

Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.

- Wikipedia, Transport Layer Security link

---

Related Topics