SSL certificate problem: Unable to get local issuer certificate

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

The following is seen on the command line when pushing or pulling:

SSL Certificate problem: unable to get local issuer

Cause

There are two potential causes that have been identified for this issue.

  1. A Self-signed certificate cannot be verified.

  2. Default GIT crypto backend (Windows clients)

Pick the right resolution

Your situation

Go to

Self-signed certificate — you control the certificate authority

Resolution #1 — add the CA certificate to Git's trust store

Corporate certificate — issued by your company's internal CA

Resolution #1 — add the corporate root CA to Git's trust store

Windows client with default Git crypto backend (Secure Channel)

Resolution #2 — switch to OpenSSL backend

Temporary workaround only (not production)

Workaround — disable SSL verification (security risk — remove after troubleshooting)

Resolution

Resolution #1 - Self Signed certificate

Workaround

Tell git to not perform the validation of the certificate using the global option:

git config --global http.sslVerify false

The command git config --global http.sslVerify false disables SSL certificate validation for all Git operations globally. This exposes Git traffic to man-in-the-middle attacks. Please be advised disabling SSL verification globally might be considered a security risk and should be implemented only as a temporarily diagnostic step and re-enable verification immediately after testing:

git config --global http.sslVerify true

Resolution - Client Side

Please notice that we refer to the Certificate Authority in this article by the acronym CA. 

There are several ways this issue has been resolved previously. Below we suggest possible solutions that should be run on the client side:

  1. Ensure the root cert is added to git.exe's certificate store. The location of this file will depend on how/where GIT was installed. For instance, the trusted certificate store directory for Git Bash is C:\Program Files\Git\mingw64\ssl\certs. This is also discussed on this Microsoft blog.

  2. Tell Git where to find the CA bundle, either by running:

    git config --system http.sslCAPath /absolute/path/to/git/certificates

    where /absolute/path/to/git/certificates is the path to where you placed the file that contains the CA certificate(s).

    or by copying the CA bundle to the /bin directory and adding the following to the gitconfig file:

    sslCAinfo = /bin/curl-ca-bundle.crt

  3. Reinstall Git.

  4. Ensure that the complete certificate chain is present in the CA bundle file, including the root cert.

Resolution - Server Side

This issue can also happen on configurations where Bitbucket Server is secured with an SSL-terminating connector rather than a proxy

  1. Ensure that the Java KeyStore has the entire certificate chain (Intermediate CA and Root CA)

    • View the Certificate Chain Details inside the KeyStore using a tool like the KeyStore Explorer to check

Resolution #2 - Default GIT crypto backend

When using Windows, the problem resides that git by default uses the "Linux" crypto backend, so the GIT operation may not complete occasionally. Starting with Git for Windows 2.14, you can configure Git to use SChannel, the built-in Windows networking layer as the crypto backend. To do that, just run the following command in the GIT client:

git config --global http.sslbackend schannel

This means that it will use the Windows certificate storage mechanism and you don't need to explicitly configure the curl CA storage (http.sslCAInfo) mechanism.

Verification

  1. Re-run the failing git command (push or pull) with the GIT_CURL_VERBOSE=1 environment variable set to see the SSL handshake.

  2. If the command succeeds, the certificate is now trusted.

  3. If you used the sslVerify false workaround and it now works, the certificate is the problem — proceed with Resolution #1 to fix it properly, then re-enable SSL verification.

  4. Confirm SSL verification is re-enabled: git config --global http.sslVerify should return true

Updated on June 23, 2026
Platform
Data Center only
App
Bitbucket Data Center
On this pageProblemCausePick the right resolutionResolutionVerification

Still need help?

The Atlassian Community is here for you.
Ask the Community