Fix Git SSL Self-Signed Certificate Error

Symptoms

When cloning, pushing, or fetching from a Git repository over HTTPS that uses a self-signed SSL certificate, you receive an error message similar to:

fatal: unable to access 'https://git.example.com/repo.git/': SSL certificate problem: self signed certificate

This error prevents any Git operation that requires HTTPS connectivity. The repository may be hosted on an internal server or a test environment with a custom certificate authority.

Root Causes

• The remote Git server uses a self-signed SSL certificate that is not trusted by the client's system certificate store.
• The certificate is issued by a private Certificate Authority (CA) not installed on the client machine.
• The certificate has expired or is misconfigured (e.g., wrong hostname).
• Git is configured to strictly verify SSL certificates (default behavior).

Step-by-Step Fix

Option 1: Temporarily Disable SSL Verification (Not Recommended for Production)

1. Set the environment variable to bypass SSL verification for a single command:

   GIT_SSL_NO_VERIFY=1 git clone https://git.example.com/repo.git

2. Or disable verification globally (use with caution):

   git config --global http.sslVerify false

3. Re-enable verification after the operation:

   git config --global http.sslVerify true

Option 2: Trust the Self-Signed Certificate Permanently

1. Download the server's self-signed certificate (usually in PEM format). Ask your server administrator or export it from the browser.
2. Convert the certificate to PEM if needed:

   openssl x509 -inform der -in certificate.cer -out certificate.pem

3. Add the certificate to your system's trusted CA store. On Linux:

   sudo cp certificate.pem /usr/local/share/ca-certificates/
   sudo update-ca-certificates

   On macOS:

   sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certificate.pem

   On Windows: Import the certificate into the 'Trusted Root Certification Authorities' store via certlm.msc.
4. Verify Git can now communicate:

   git ls-remote https://git.example.com/repo.git

Option 3: Configure Git to Use a Custom CA Bundle

1. Create a custom CA bundle file containing your self-signed certificate:

   cat certificate.pem >> ~/my-ca-bundle.crt

2. Configure Git to use this bundle:

   git config --global http.sslCAInfo ~/my-ca-bundle.crt

3. Test the connection:

   git clone https://git.example.com/repo.git

Alternative Fixes

• Use SSH instead of HTTPS: Configure SSH keys on the server and change the remote URL to SSH format (e.g., git@git.example.com:repo.git). This bypasses SSL entirely.
• Update Git: Older Git versions may have incomplete CA bundles. Upgrade to the latest version.
• Check Certificate Hostname: Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the server hostname. Use:

  openssl s_client -connect git.example.com:443 -showcerts

Prevention

• Use a properly signed certificate from a public CA (e.g., Let's Encrypt) for production repositories.
• For internal servers, deploy a private CA and distribute its root certificate to all client machines via group policy or configuration management.
• Regularly monitor certificate expiration dates and renew before expiry.
• Document the certificate installation process for new team members.
• Never disable SSL verification in production or CI/CD pipelines. It exposes you to man-in-the-middle attacks.

By following these steps, you can securely connect to Git repositories using self-signed certificates while maintaining best practices for security.