Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

ByMartin

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

TLDR:

hostname=XXX
port=443
trust_cert_file_location=`curl-config --ca`

sudo bash -c echo -n | openssl s_client -showcerts -connect $hostname:$port -servername $hostname 
    2>/dev/null  | sed -ne /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p  
    >> $trust_cert_file_location

Warning: as noted in gareththereds excellent answer, this adds all certificates, instead of only the Root CAs.
Blindly adding all (any) certificate to your trustStore without due diligence is not the best course of action.

Long answer

The basic reason is that your computer doesnt trust the certificate authority that signed the certificate used on the Gitlab server. This doesnt mean the certificate is suspicious, but it could be self-signed or signed by an institution/company that isnt in the list of your OSs list of CAs. What you have to do to circumvent the problem on your computer is telling it to trust that certificate – if you dont have any reason to be suspicious about it.

You need to check the web certificate used for your gitLab server, and add it to your </git_installation_folder>/bin/curl-ca-bundle.crt.

To check if at least the clone works without checking said certificate, you can set:

export GIT_SSL_NO_VERIFY=1
#or
git config --global http.sslverify false

But that would be for testing only, as illustrated in SSL works with browser, wget, and curl, but fails with git, or in this blog post.

Check your GitLab settings, a in issue 4272.

To get that certificate (that you would need to add to your curl-ca-bundle.crt file), type a:

echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpsGitlabPort 
  2>/dev/null  | sed -ne /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p

(with yourserver.com being your GitLab server name, and YourHttpsGitlabPort is the https port, usually 443)

To check the CA (Certificate Authority issuer), type a:

echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpsGilabPort 
  2>/dev/null  | sed -ne /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p 
  | openssl x509 -noout -text | grep CA Issuers | head -1

Note: Valeriy Katkov suggests in the comments to add -servername option to the openssl command, otherwise the command isnt showed certificate for www.github.com in Valeriys case.

openssl s_client -showcerts -servername www.github.com -connect www.github.com:443

Findekano adds in the comments:

to identify the location of curl-ca-bundle.crt, you could use the command

curl-config --ca

Also, see my more recent answer github: server certificate verification failed: you might have to renistall those certificates:

sudo apt-get install --reinstall ca-certificates
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

Note: This has major security implications.

Open your terminal and run following command:

export GIT_SSL_NO_VERIFY=1

It works for me and I am using Linux system.

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Another cause of this problem might be that your clock might be off. Certificates are time sensitive.

To check the current system time:

date -R

You might consider installing NTP to automatically sync the system time with trusted internet timeservers from the global NTP pool. For example, to install on Debian/Ubuntu:

apt-get install ntp

Related posts on CA file   :


Leave a Reply

Your email address will not be published. Required fields are marked *