SSL Certificate Problem: Unable to Get Local Issuer Certificate – Explained & Fixed

If you're working with APIs, Git, Python scripts, or Docker, you’ve probably stumbled upon this frustrating error at some point:

SSL certificate problem: unable to get local issuer certificate

 

It can appear out of nowhere, even in simple operations like git clone, curl, or when sending HTTPS requests from a local script. This blog breaks down what this error means, why it happens, and—most importantly—how to fix it across different tools and platforms.

???? What Does This Error Mean?

At its core, the error:

SSL certificate problem: unable to get local issuer certificate

 

means that your system doesn’t trust the SSL certificate of the server you're trying to connect to.

Why? Because your local system or tool cannot validate the server’s certificate chain, specifically the intermediate or root certificate—aka, the “local issuer certificate.”

In simpler terms: You’re trying to talk to a server over HTTPS, and your machine is saying, "I don’t know who signed this certificate, so I’m not trusting it."

⚠️ Common Situations Where This Error Occurs

This SSL error is notorious for appearing in many environments:

• Git (on Windows/macOS): When cloning from or pushing to a remote repository.
  
  


• cURL: While trying to access a remote API or HTTPS website.
  
  


• Python requests: Making GET or POST calls via requests or similar HTTP libraries.
  
  


• Node.js: Making https or axios calls.
  
  


• Docker containers: When your app makes HTTPS calls from inside a container with no certs.
  
  


• CI/CD Pipelines: Especially on custom runners or minimal environments.
  
  

???? Why This Error Happens

There are a few key reasons why this happens:

1. Missing CA Certificates: Your machine doesn't have the root certificates installed (or updated).
   
   


2. Outdated Certificate Bundle: Your certificate store doesn’t recognize the Certificate Authority (CA) that issued the server’s SSL certificate.
   
   


3. Corporate Proxy or Firewall: Enterprise environments often intercept SSL traffic using custom root CAs that your system may not recognize.
   
   


4. Docker Images or Minimal Systems: Alpine Linux, for example, ships with almost no certificates by default.
   
   


5. Misconfigured Server Certificate: Sometimes the server itself is misconfigured and doesn’t send the full certificate chain.
   
   

????️ How to Fix It (Step-by-Step)

1. ???? Git Users (Windows)

If you're using Git Bash or a Git client on Windows:

• Download the latest cacert.pem file from https://curl.se/ca/cacert.pem.
  
  


• Save it somewhere, e.g., C:certscacert.pem.
  
  

Then run:

git config --global http.sslCAInfo "C:/certs/cacert.pem"

This tells Git where to look for valid certificate authorities.

2. ???? Fixing it in cURL

You can pass the CA bundle using:

curl --cacert /path/to/cacert.pem https://example.com

 

Or, to disable SSL verification (not recommended):

curl -k https://example.com

 

⚠️ Warning: Disabling SSL checks can expose you to man-in-the-middle (MITM) attacks.

3. ???? Python Requests Fix

If using the requests library in Python:

import requests

 

response = requests.get(

    'https://example.com',

    verify='/path/to/cacert.pem'

)

 

Or set the environment variable globally:

export REQUESTS_CA_BUNDLE=/path/to/cacert.pem

 

4. ???? Docker & Containers

Lightweight images often lack a CA bundle. Fix it by installing certificates inside the Dockerfile:

For Debian/Ubuntu base images:

RUN apt-get update && apt-get install -y ca-certificates

 

For Alpine:

RUN copyright add --no-cache ca-certificates

 

5. ???? Node.js or Axios

You can specify the CA file manually in your HTTP request, or globally set the environment variable:

export NODE_EXTRA_CA_CERTS=/path/to/cacert.pem

 

Or, in code (not ideal for production):

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;

 

⚠️ Again, skipping SSL verification is a dangerous workaround, suitable only for quick local testing.

???? Pro Tips

• Always try to fix the root cause, not just silence the error.
  
  


• Keep your system's CA certificates up to date.
  
  


• In enterprise setups, import your company’s root CA into the system's trust store.
  
  


• In CI/CD, make sure to bundle or install CA certificates in your build environment.
  
  

✅ Summary

The “SSL certificate problem: unable to get local issuer certificate” error may look cryptic, but it boils down to one thing: your machine doesn't trust the server’s certificate.

With the right certificate bundles and environment configurations, you can usually solve this error within minutes—whether you're working with Git, Python, Docker, or any other HTTP tool.

By learning the underlying cause, you avoid temporary workarounds and instead build secure, future-proof solutions.

Read more on https://keploy.io/blog/community/ssl-problem-unable-to-get-local-issuer-certificate