Fix SSL Certificate Problem. How to locate and troubleshoot common problems

We’ve compiled a list of common errors and solutions, and we welcome your suggestions in the comments.

What is SSL/TLS?

Transport Layer Security (ABBREVIATED: TLS and its predecessor SSL (Secure Sockets Layer), is the client (Web browser) and server (Web sever) between 🔐 encryption communication security standard protocol, ** to provide security and data integrity guarantee for Internet communication, ** has become the industry standard for secure Internet communications.

• Click on the latest TECHNOLOGY application trend of SSL and the market distribution of SSL Certificate Authority.

• SSL certificate online check tool: What’s My Chain Cert? | SSL Certificate the Checker – Diagnostic Tool | DigiCert.com

• If you want to build a free SSL certificate for a Server site, consider using Let’s Encrypt: Let’s Encrypt | Certbot

How to locate and analyze error messages

Tips: Setting debug mode helps you trace and locate the actual cause of specific problems (GIT_CURL_VERBOS only works with HTTP/S transport protocol)

# On Linux
export GIT_CURL_VERBOSE=1
export GIT_TRACE_PACKET=1
export GIT_TRACE=1

# On Window
set GIT_TRACE_PACKET=1
set GIT_TRACE=1 
set GIT_CURL_VERBOSE=1

If the current machine has Python installed, you can quickly check the certificate path to help locate and resolve the problem
python -c "import ssl; print(ssl.get_default_verify_paths())" 

Use openSSL to check the site's certificate status
openssl s_client -showcerts -connect
Copy the code

Q&A

SSL certificate problem: Unable to get local issuer certificate

The reason:

If the ** self-signed certificate cannot be authenticated, the client programs such as Git or curl cannot trust the server certificate. In Windows, this type of problem may occur due to the configuration of the environment.

Solution:

The temporary global solution to this problem is to disable certificate validation. ⚠️ Be aware of the potential security risks associated with this approach (which may trigger man-in-the-middle attacks on MitM Attacks).

Http.sslbackend: Name of the SSL backend to use (e.g. "openssl" or "schannel"). # This option is ignored if cURL lacks support for Choosing the SSL backend at runte. git config --global http.sslBackend schannel # or # http.sslVerify: A Boolean to enable/disable verification of the server certificate used by the SSL/TLS connection. # ⚠️ Do NOT Do this! GIT_SSL_NO_VERIFY=true git clone --global http.sslVerify https://[email protected]/scm/repository.git # Git Config Option Ref: https://git-scm.com/docs/git-configCopy the code

If you can get the certificate. Pem file from the server, try telling git where the certificate Authority (CA) bundle is located.

# Convert the file into the X.509 format # openssl-x509, X509 Certificate - display and signing the utility # https://www.openssl.org/docs/man1.0.2/man1/x509.html openssl x509 - in CRT gitconfig --system http.sslCAInfo /path/certificate. CRT Git git config -- global-e [HTTP "https://your.domain.com"] # MUST be PEM format # Some situations require both  the CAPath AND CAInfo sslCAInfo = /path/to/selfCA/self-signed-certificate.crt sslCAPath = /path/to/selfCA/ sslVerify = true # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it. sslCert = /path/to/privatekey/myprivatecert.pem # Even if your PEM file is password protected, set this to false. # Setting this to true always asks for a password even if you don't have one. # When you do have a password, even with this set to false it will prompt anyhow. sslCertPasswordProtected = 0Copy the code

Tips: THE CA bundle is a file that contains the root certificate and the intermediate certificate. It forms a complete certificate chain with the actual certificate file. CURL: cURL. Se /docs/caextr…

How to obtain a self-signed certificate is not described here.

Other client programs encounter similar problems, such as PIP/conda/node, and can try to solve the problem in a similar way:

# curl code:
	curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);

# python package
pip config set global.cert path/to/ca-bundle.crt

# conda package
conda config --set ssl_verify path/to/ca-bundle.crt
Copy the code

In addition, there are some rare cases, firewall or anti-virus ban can also occur this problem, you can try to turn off the software to verify that it can be resolved.

Fatal: Unable to access ‘https://company.domain/project.git’: SSL certificate problem: certificate has expired

If you encounter this problem after September 2021, you may be affected by Let’s Encrypt DST Root CA X3 Expiration (September 2021), try the following method to solve this problem.

• Ubuntu 14.04 LTS (Trusty Tahr) or Ubuntu 16.04.6 LTS (Xenial Xerus)

# Edit the file /etc/ca-certificate. conf to find the certificate and comment it! Sudo sed -i -e 's/mozilla/dst_root_ca_x3.crt /! Mozilla \/DST_Root_CA_X3\. CRT /g' /etc/ca-certificate. conf # Save the file and run sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt sudo update-ca-certificatesCopy the code

• Mac OS X 10.13.6 On the High Sierra,cURLAnd therefore Git/etc/ssl/cert.pemTo handle root certificate authentication, you can remove it manuallyDST Root CA X3
• If you are using Certbot and need to upgrade to the latest version, renew site certificates to remove potential issues with DST Root CA X3

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
Copy the code

In Windows, you can try to upgrade Git to the latest version, which will solve the problem.

The relevant data

• KSE Manual – User Interface Overview
• Git for Windows: SSL certificate problem: certificate has expired
• DST Root CA X3 Expiration (September 2021) – Let’s Encrypt

---

This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license.