SSL: 'unable to get local issuer certificate'

I am using OSX: 10.12.4

I originally was able to use git, homebrew and curl without any problems. I don’t remember what I did to cause it, but all of a sudden these SSL errors starting appearing in my git commands.

  • unable to curl a git tag
  • How can I install git on my webserver with a curl.h no such file error
  • git client using GSSAPI for NTLM proxy authentication
  • Git 2.4.8 built from sources and missing HTTP/HTTPS helpers
  • How does Github releases generate archive filenames?
  • Using cURL to send JSON within a BASH script
  • I get unable to get local issuer certificate errors on running any git command. In addition, I get the error when trying to reinstall git using brew install git.

    The relevant part of brew output:

    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here:

    I have tried:

    • Rebooting
    • Moving the ~/Library/Keychains folder to ~/Desktop and then rebooting
    • Navigating to on safari, and
      viewing the certificate. According to [these instructions](cannot post more than 2 links, sorry), there should be a checkbox to “Always trust” the site. I do not see this checkbox.
    • I was going to try keychain first aid, however, this feature has been removed in the most recent Mac OS.
    • I tried looking through many other similar questions, however, with many, I had trouble understanding or following the instructions in the answers.

    For example, perhaps squid808’s answer to a similar question could help me. He says “Instead, it is the Root CA Cert from our domain that I should have been exporting and telling Git to trust.” I have little understanding of what this means or if it is relevant to me, or how I would go about doing this. Based on my research it seems like this is more for people running servers. It also seems to be for windows, and I am on Mac.

    I understand that as a temporary fix I can use git config --global http.sslVerify false in addition to the -k option in curl. These workarounds are insecure, so I’d like to get my SSL security back up and running ASAP.

    Output of curl -L | bash -s stable (part of a brew attempt that similarly fails)

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here:
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.


    • If the following attempts I’ve made to solve this seem scattered and disorganized, it is because I am confused if this is an issue more relevant to git, curl, or perhaps neither and just SSL certificates in general. Please let me know if the tags for this question should be fixed.
    • I could have posted more relevant links and images, but I am limited by reputation.

    I have another account that I was not able to maintain a positive reputation on. I am trying to identify and fix everything I was doing wrong before. Any feedback on how I can improve the quality of this question would be much appreciated. Thank you.

  • How to fix corrupted git repository?
  • Is there any git appliance that support gitorious?
  • Difference between Git and libgit2
  • Git repository in OneDrive synced folder
  • git clone hangs forever on github
  • What does the file in git repo do?
  • 2 Solutions collect form web for “SSL: 'unable to get local issuer certificate'”

    This is similar to what was reported in Homebrew/brew issue 1625, and documented by Eduard Rozenberg (edrozenberg):

    Similar-sounding problems also reported by John Siracusa of ATP Podcast on the Dec 7 podcast.

    Most likely trigger for the problem: enabling iCloud Keychain in iCloud settings

    One or more observable symptoms when issue is happening:

    • A pop-up MacOS message that keychain has to be repaired/reset
    • When looking at Keychain Access tool, keychains appear to be empty and set to Read-Only mode
    • When looking at Keychain Access tool, keychain icons on sidebar are missing (dotted borders)
    • Trying to navigate to in Google Chrome fails with an SSL CERT error
      Running brew search pip for example, shows the curl (35) certificate error message

    The problem can be temporarily resolved by logging out and back in, and/or rebooting. After it is resolved, the Keychain Access tool will show all the keychains and their contents as it should. The problem is likely to recur at a later time.

    Hoping (fingers X) that a Mac OS patch (maybe 10.12.2?) will resolve the root cause.

    Otherwise one idea is to disable the iCloud Keychain option in iCloud prefs (have not yet tried).

    Since you in in Mac Sierra 10.12.4… I suspect no patch did solve this yet.

    This other issue mentions (by jamver):

    I encountered this issue specifically after updating to macOS Sierra (10.12), with resolution coming from the workaround from this legacy-homebrew ticket:

    cd ~
    sudo wget
    export CURL_CA_BUNDLE=~/cacert.pem

    FWIW, this solved most, but not all issues. The others I resolved by manually downloading the packages using wget and placing them in the Homebrew Cache Dir.

    I’d be interested to know the correct fix. e.g. Update system ca bundle? Apple patch required for system bundle?

    I needed to run brew doctor and fix an issue. Then I needed to restart my shell. Finally, after those 2 steps, brew install worked again.

    Unfortunately, I was not able to identify which warning was pointing at the perpetrator. When I first ran brew doctor, there were probably about 10 warnings. I cleared a lot of them before I realized I needed to restart my shell, and after restarting it worked.

    I think I found the root of the problem:

    Warning: Setting DYLD_* vars can break dynamic linking.
    Set variables:
      DYLD_LIBRARY_PATH: /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64

    Commenting out the line

    set -x DYLD_LIBRARY_PATH /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64

    in ~/.config/fish/ and then restarting my shell seems to fix the problem for me so far.

    Thanks @VonC for referencing the issue that lead me to attempt brew doctor.

    Git Baby is a git and github fan, let's start git clone.