Recommended Approach: Trust the Root CA Certificate
Step 1: Identify the Certificate Chain Issue
First, diagnose what’s actually missing:
openssl s_client -showcerts -connect git.example.internal:443 </dev/null 2>/dev/null
Look for the entire certificate chain. The problem is typically the root or intermediate CA, not the server cert itself.
Step 2: Extract the Correct Certificate
If you control the server, obtain the root CA certificate directly from your infrastructure team or certificate authority.
If extracting from the connection, get the root CA certificate (the last certificate in the chain):
openssl s_client -showcerts -connect git.example.internal:443 </dev/null 2>/dev/null | \
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print; if (/END CERTIFICATE/) {n++; if (n==1) exit}}' > root-ca.crt
Or better yet, extract all certificates and review them:
openssl s_client -showcerts -connect git.example.internal:443 </dev/null 2>/dev/null | \
sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > chain.pem
Step 3: Verify the Certificate
Before trusting it, inspect what you downloaded:
openssl x509 -in root-ca.crt -text -noout
Check the Subject and Issuer fields to confirm it’s your organization’s CA.
Step 4: Install the Root CA Certificate
Ubuntu/Debian:
sudo cp root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
RHEL/CentOS/Fedora:
sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt
Windows (PowerShell as Administrator):
Import-Certificate -FilePath root-ca.crt -CertStoreLocation Cert:\LocalMachine\Root
Step 5: Verify the Fix
openssl s_client -connect git.example.internal:443 -CAfile root-ca.crt </dev/null
Look for “Verify return code: 0 (ok)”
Then test Git:
git clone https://git.example.internal/myrepo.git
Alternative: Git-Specific Configuration
If you cannot modify system trust stores (limited permissions), configure Git to trust the certificate:
git config --global http.sslCAInfo /path/to/root-ca.crt
Or for a specific repository:
git config http.sslCAInfo /path/to/root-ca.crt
Why This Is Better
- Trusts the root CA, not just one server – Works for all servers signed by your internal CA
- More secure – Validates the entire chain of trust
- Proper certificate validation – Maintains security while solving the problem
- Follows PKI best practices – Aligns with how certificate trust is meant to work
Security Notes
- Only trust certificates from sources you control or verify
- Never disable SSL verification in production environments
- Consider using proper certificate management tools for enterprise environments
- Rotate certificates before expiration and update trust stores accordingly
