Git "SSL certificate problem: self-signed certificate" in CI
Git could not verify the TLS certificate of the Git host over HTTPS. Either the runner is missing CA certificates, or a corporate proxy is presenting its own self-signed certificate the runner does not trust.
What this error means
An HTTPS clone/fetch fails during the TLS handshake with SSL certificate problem: self signed certificate in certificate chain (or unable to get local issuer certificate). It is environment-specific - fine on a dev machine, failing on a bare CI image or behind a proxy.
fatal: unable to access 'https://git.example.com/org/repo.git/':
SSL certificate problem: self signed certificate in certificate chainCommon causes
Missing or stale CA certificates
A minimal runner image without ca-certificates has no trust store, so Git cannot validate the host’s certificate chain.
A proxy intercepting TLS
Corporate proxies re-sign HTTPS with their own root CA. Unless that root is trusted by the runner, Git treats the certificate as self-signed and aborts.
How to fix it
Install CA certificates
Add the trust store so Git can validate standard certificates.
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificatesTrust the proxy/internal root CA
Point Git at the proxy or internal CA bundle rather than disabling verification.
git config --global http.sslCAInfo /etc/ssl/certs/corporate-root.pem
# scoped to one host:
git config --global http."https://git.example.com/".sslCAInfo /etc/ssl/certs/corporate-root.pemHow to prevent it
- Use a runner image with
ca-certificatespreinstalled. - Provide the internal/proxy root CA to Git’s trust store, not per-command flags.
- Never disable
http.sslVerifyas a standing configuration.