server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I can push by clone project using ssh, but it doesn't work when I clone project with https. it shows message error as below.

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

6 answers

  • answered 2014-01-17 08:47 VonC

    You need to check the web certificate used for your gitLab server, and add it to your </git_intallation_folder>/bin/curl-ca-bundle.crt.

    To check if at least the clone works without checking said certificate, you can set:

    export GIT_SSL_NO_VERIFY=1
    #or
    git config --global http.sslverify false
    

    But that would be for testing only, as illustrated in "SSL works with browser, wget, and curl, but fails with git", or in this blog post.

    Check your GitLab settings, a in issue 4272.


    To get that certificate (that you would need to ad to your curl-ca-bundle.crt file), type a:

    echo -n | openssl s_client -showcerts -connect yourGitLabServer:YourHttpGilabPort 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    

    To check the CA (Certificate Authority issuer), type a:

    echo -n | openssl s_client -showcerts -connect yourGitLabServer:YourHttpGilabPort 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'| openssl x509 -noout -text | grep "CA Issuers" | head -1
    

    Findekano adds in the comments:

    to identify the location of curl-ca-bundle.crt, you could use the command

    curl-config --ca
    

  • answered 2014-03-18 10:57 Afzal Masood

    Open your terminal and run following command:

    export GIT_SSL_NO_VERIFY=1
    

    It works for me and I am using Linux system.

  • answered 2014-04-08 18:33 davidthings

    Another cause of this problem might be that your clock might be off. Certificates are time sensitive.

  • answered 2014-04-15 15:12 Tobu

    GIT_CURL_VERBOSE=1 git [clone|fetch]…
    

    should tell you where the problem is. In my case it was due to cURL not supporting PEM certificates when built against NSS, due to that support not being mainline in NSS (#726116 #804215 #402712 and more).

  • answered 2014-06-30 14:23 Nikolay Ruban

    Had same problem. Caused by self issued certificate authority. Solved it by adding .pem file to /usr/local/share/ca-certificates/ and calling

    sudo update-ca-certificates
    

    PS: pem file in folder ./share/ca-certificates MUST have extension .crt

  • answered 2014-07-26 16:50 Tosha

    I just encountered the very same problem with a git repository which always works for me. The problem was that I accessed it through public WiFi access, which redirects to a captive portal upon the first connection (for example to show ads and agree with tos).