The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,183 other subscribers

Enabling GIT_CURL_VERBOSE to research “unable to get local issuer certificate”

Posted by jpluimers on 2015/05/28

A while ago, I was fighting a corporate web proxy playing Man-in-the-Middle on all https sessions.

Though playing MitM on your employees is a debatable thing to do (especially without informing the employees, and illegal in certain countries, I had to get a GIT connection to the outside world working.

This helped tracking it down: GIT_CURL_VERBOSE “unable to get local issuer certificate”.

What I finally did was this:

  1. obtain the CA certificate that issues the MitM certificate in base-64 CRT form (which is the same as the PEM form):
  2. added it at the top of either of these files:
    • "%ProgramFiles%\Git\bin\curl-ca-bundle.crt"
    • "%ProgramFiles(x86)%\Git\bin\curl-ca-bundle.crt"
  3. added it to the top of either of these files:
    • "%ProgramFiles%\Mercurial\cacert.pem"
    • "%ProgramFiles(x86)%\Mercurial\cacert.pem"


PS: These were the failures I was getting:

Git (using the CURL verbose setting)

C:\Temp>git clone
Cloning into 'fastmm'...
* Couldn't find host in the _netrc file; using defaults
* Adding handle: conn: 0x224d838
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x224d838) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy localhost port 3128 (#0)
*   Trying
* Connected to localhost ( port 3128 (#0)
* Establish HTTP proxy tunnel to
User-Agent: git/1.9.4.msysgit.0
Proxy-Connection: Keep-Alive
Pragma: no-cache

< HTTP/1.0 200 Connection established
< Connection: close
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt
  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
fatal: unable to access '': SSL certificate problem: unable to get local issuer certificate

Hg (using the –debug command option)

C:\Temp>hg --debug clone
proxying through http://localhost:3128
sending capabilities command
abort: error: _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: