Fix Git error "SSL certificate problem: self-signed certificate in certificate chain" in Bitbucket Cloud

Summary

While performing any Git operations, the user encounters the following error message:

Diagnosis

To inspect the certificate chain presented during the connection to Bitbucket Cloud, you can run the following command:

openssl s_client -connect bitbucket.org:443 -showcerts

If the chain includes a self-signed certificate or one issued by an unrecognized certificate authority, it likely indicates interception by a proxy, firewall, or antivirus.

Cause

The error indicates that your Git client does not trust an SSL certificate presented during the connection to Bitbucket Cloud because it is self-signed.

Bitbucket Cloud's certificate is signed by a trusted certificate authority. The most likely reason for this error is that a proxy, firewall, or antivirus on your network intercepts the connection to Bitbucket Cloud and presents its self-signed certificate.

Solution

Configure Git to trust the self-signed certificate

You can configure Git to trust the self-signed certificate by setting the 'http.sslCAInfo' option in your Git configuration. You can run the following command to configure Git to trust the self-signed certificate, replacing /path/to/ca.pem with the actual path to the self-signed certificate file on your system:

The flag --global in the command means that this setting will apply to all repositories you work with on this computer under your user account. If you use a Git GUI client instead of Git from the command line, ensure that this client reads and respects the ~/.gitconfig file where this setting is stored.

Windows System

If you are using Windows and the self-signed certificate has been added to the Trusted Root Certification Authorities in the Windows certificate store, you can add the following configuration in your Git config:

This sets the Secure Channel (Schannel) library as the SSL backend for Git's HTTPS communication. The Schannel library is part of the Windows operating system and is well-integrated with its security features. Once you have configured this, Git will use the Windows certificate store and should not require the http.sslCAInfo configuration setting.

This config does not bypass SSL validation. It only sets the SSL backend used by Git for its HTTPS communication. The Schannel library, like other SSL backends, is designed to perform SSL validation by default, which includes verifying the authenticity of the SSL certificate presented by the remote server. The Schannel library is a secure SSL backend, supporting strong encryption algorithms and certificate validation.