How to fix “SSL certificate problem: self signed certificate in certificate chain” error?

I have a Linux-based Docker container, where if I do:

. then I get an error:

curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html

The same happens for any URL — it’s not Google that’s at fault.

The link referenced above suggests various solutions, none of which seem appropriate apart from perhaps the last one, which suggests updating the certificate store. But there are no instructions on how to do that (or at least, none that make sense to me).

Is that the right thing to do, and if so how?

UPDATE: as requested, here’s the result of:

What I gather from this is that there’s certificate in this chain belonging to the company I’m working for (which I’ve renamed MyCompanyServer), and I imagine that’s the issue.

Am I right in thinking that I need to install some sort of key for that certificate? This is all greek to me, so apologies for the newbie questions.

3 Answers 3

Probably you don’t have correct CA certificates available in the container, so TLS connections can’t be verified.

Try to install ca-certificates package (package may have a different name, it depends on the used distribution).

UPDATE:

Your company inspects TLS connections in the corporate network, so original certificates are replaced by your company certificates. You need to add your company CA certificate to root CA certificates.

Linux (Ubuntu, Debian):

• copy company CA certificate to dir /usr/local/share/ca-certificates/
• run sudo update-ca-certificates

If your host OS has already preconfigured CA certs correctly (company CA certs included), then you can just mount them as a volume to the container:

SSL certificate problem при выполнении push на github

При выполнении команды:

fatal: unable to access ‘https:/github.com/. /. git’: SSL certificate problem: self signed certificate in certificate chain

Я понимаю, что он ругается на самоподписанный сертификат, да только ни в

/.ssh ни на гитхабе сртификатов у меня нет.

Git свежий. Кто что думает? Как исправить?

5 ответов 5

KIS 2015 в Firefox автоматически по умолчанию устанавливает свой сертификат и делает автоматическую проверку всех защищённых соединений. Для этого он подменяет сертификаты сайтов на свой сертификат в браузере!

Чтобы убрать подмену сертификатов:

В настройках KIS 2015: Настройка/Дополнительно/Сеть(параметры сети) — снять галочку с «Проверять защищённые соединения» и перезагрузить комп.

Для игнорирования HTTPS-сертификатов в Git достаточно в файле конфигурации пользователя/системы/репозитория выставить параметр http.sslVerify в значение false:

Однако в случае с github-ом это не правильно — нужно искать причину того, почему они самоподписанные.

если вы зарегистрированы на github -е и публичная часть вашего ключа добавлена в учётную запись, то можно соединяться с github -ом по протоколу ssh.

ссылку на репозиторий можно получить на странице репозитория (см. справа: «You can clone with HTTPS, SSH, or Subversion») либо, уже имея http-ссылку, преобразовать её в ssh-ссылку, заменив https:// на git@ и первый слэш после адреса сайта — на двоеточие. пример:

если репозиторий уже склонирован, и требуется лишь подправить ссылку, то это можно сделать примерно такой командой:

посмотреть свои публичные ключи, закреплённые за учётной записью на github-е можно на соответствующей странице настроек.

Git — “SSL certificate issue: self signed certificate in certificate chain”

I just started getting this error when trying to push my changes. I don’t know what changed on my system and there should not be any self-signed certs in this connection.

Git has been uninstalled and re-installed. Git appears to be using the proper bundle: http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

Disabling cert checking is not an option.

How can I troubleshoot this issue?

The goal is to push my code to GitHub, but how did a self-signed cert get into this connection and how do I get it out?

3 Answers 3

I discovered that Kaspersky antivirus started using self-signed certificates in their «Web Anti-Virus» feature which caused Git to complain.

In order to work with the remote in any way over HTTP (push, fetch, pull, etc.) Kaspersky Web Anti-Virus needs to be disabled or that particular Git repo added to the exclusions list.

But regarding your current issue, try first pushing after setting a simplified path:

By using the smallest PATH (for testing), you ensure that only your Git is used, and it should be able to push to GitHub.

I had the same exact issue but used a different solution. Rather than disable the Web Anti-virus or rely on exclusions, I added the Kaspersky certificate to my Git for windows trust store.

Finding the Kaspersky certificate was not that straight-forward. In my Kaspersky version, it was buried at the below location:

Settings > Additional > Network > Encrypted connections scanning — Advanced Settings > Install Certificate > Show Certificate > Details > Copy to File > Base-64 encoded X.509 (.cer)

Once you have the certificate, you need to locate your Git trust store, then add it there. Reference here for details.

SSL certificate problem: self signed certificate in certificate chain #646

Comments

ddfridley commented May 25, 2018

I am unable to push to git. I see that there have been changes and I’ve been upgrading to catch up, but I’m really stuck. I’m sorry to post this, I’ve been trying to figure it out.

$ git —version
git version 2.17.0.windows.1 // 64 bit

$ git credential-manager version
Git Credential Manager for Windows version 1.16.0

git push origin master
fatal: unable to access ‘https://github.com/Synaccord/synaccord.git/’: SSL certificate problem: self signed certificate in certificate chain

This use to work, but I understand github has gotten more strict about SSL. Fine. But I can’t seem to delete the old certificate and create a new one.

On Windows 10 (Home Version 1709 OS Build 16299.431) when I go to Settings and search for «Credential» I see «Credential Manager», «Manage Windows Credentials», and «Manage Web Credentials». When I click on «Credential Manager» (or any of the three) the list disappears and I’m back to the search option. Has credential management been removed from windows?

git credential-manager ‘delete https://github.com/Synaccord/synaccord.git/
It returns no error, and has no effect on the git push

git config —list //filtered
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
credential.usehttppath=true
credential.helper=manager
http.sslbackend=openssl
credential.manager=—version

I’m stuck. Any ideas would be appreciated.

The text was updated successfully, but these errors were encountered:

Curl error 60, SSL certificate issue: self signed certificate in certificate chain

I try to send curl request with my correct APP_ID, APP_SECRET etc. to the

I need to get access_token from it, but get a FALSE and curl_error() print next message otherwise:

When I move manually to the link above, I get access_token well. Why it doesn’t work with curl? Help, please.

5 Answers 5

Answers suggesting to disable CURLOPT_SSL_VERIFYPEER should not be accepted. The question is «Why doesn’t it work with cURL», and as correctly pointed out by Martijn Hols, it is dangerous.

The error is probably caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate.

You need to make sure that your installation of PHP has one of these files, and that it’s up to date (otherwise download one here: http://curl.haxx.se/docs/caextract.html).

If you are setting it at runtime, use:

This workaround is dangerous and not recommended:

It’s not a good idea to disable SSL peer verification. Doing so might expose your requests to MITM attackers.

In fact, you just need an up-to-date CA root certificate bundle. Installing an updated one is as easy as:

Downloading up-to-date cacert.pem file from cURL website and

Setting a path to it in your php.ini file, e.g. on Windows:

Stay safe and secure.

If the SSL certificates are not properly installed in your system, you may get this error:

cURL error 60: SSL certificate problem: unable to get local issuer certificate.

You can solve this issue as follows:

Download a file with the updated list of certificates from https://curl.haxx.se/ca/cacert.pem

Move the downloaded cacert.pem file to some safe location in your system

Update your php.ini file and configure the path to that file:

Important: This issue drove me crazy for a couple days and I couldn’t figure out what was going on with my curl & openssl installations. I finally figured out that it was my intermediate certificate (in my case, GoDaddy) which was out of date. I went back to my godaddy SSL admin panel, downloaded the new intermediate certificate, and the issue disappeared.

I’m sure this is the issue for some of you.

Apparently, GoDaddy had changed their intermediate certificate at some point, due to scurity issues, as they now display this warning:

«Please be sure to use the new SHA-2 intermediate certificates included in your downloaded bundle.»

Hope this helps some of you, because I was going nuts and this cleaned up the issue on ALL my servers.