Skip to content
Latchkey

Git "SSL certificate problem: self-signed certificate" in CI

Git could not verify the TLS certificate of the Git host over HTTPS. Either the runner is missing CA certificates, or a corporate proxy is presenting its own self-signed certificate the runner does not trust.

What this error means

An HTTPS clone/fetch fails during the TLS handshake with SSL certificate problem: self signed certificate in certificate chain (or unable to get local issuer certificate). It is environment-specific - fine on a dev machine, failing on a bare CI image or behind a proxy.

git clone output
fatal: unable to access 'https://git.example.com/org/repo.git/':
SSL certificate problem: self signed certificate in certificate chain

Common causes

Missing or stale CA certificates

A minimal runner image without ca-certificates has no trust store, so Git cannot validate the host’s certificate chain.

A proxy intercepting TLS

Corporate proxies re-sign HTTPS with their own root CA. Unless that root is trusted by the runner, Git treats the certificate as self-signed and aborts.

How to fix it

Install CA certificates

Add the trust store so Git can validate standard certificates.

Terminal
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificates

Trust the proxy/internal root CA

Point Git at the proxy or internal CA bundle rather than disabling verification.

Terminal
git config --global http.sslCAInfo /etc/ssl/certs/corporate-root.pem
# scoped to one host:
git config --global http."https://git.example.com/".sslCAInfo /etc/ssl/certs/corporate-root.pem

How to prevent it

  • Use a runner image with ca-certificates preinstalled.
  • Provide the internal/proxy root CA to Git’s trust store, not per-command flags.
  • Never disable http.sslVerify as a standing configuration.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →