SSL: 'unable to get local issuer certificate'
I am using OSX: 10.12.4
unable to get local issuer certificate errors on running any git command. In addition, I get the error when trying to reinstall git using
brew install git.
The relevant part of brew output:
Downloading https://www.kernel.org/pub/software/scm/git/git-2.12.2.tar.xz curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html
I have tried:
- Moving the ~/Library/Keychains folder to ~/Desktop and then rebooting
- Navigating to https://www.kernel.org/pub/software/scm/git on safari, and
viewing the certificate. According to [these instructions](cannot post more than 2 links, sorry), there should be a checkbox to “Always trust” the site. I do not see this checkbox.
- I was going to try keychain first aid, however, this feature has been removed in the most recent Mac OS.
- I tried looking through many other similar questions, however, with many, I had trouble understanding or following the instructions in the answers.
For example, perhaps squid808’s answer to a similar question could help me. He says “Instead, it is the Root CA Cert from our domain that I should have been exporting and telling Git to trust.” I have little understanding of what this means or if it is relevant to me, or how I would go about doing this. Based on my research it seems like this is more for people running servers. It also seems to be for windows, and I am on Mac.
I understand that as a temporary fix I can use
git config --global http.sslVerify false in addition to the
-k option in curl. These workarounds are insecure, so I’d like to get my SSL security back up and running ASAP.
curl -L https://homebrew.bintray.com/bottles/libpng-1.6.29.sierra.bottle.tar.gz | bash -s stable (part of a brew attempt that similarly fails)
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
- If the following attempts I’ve made to solve this seem scattered and disorganized, it is because I am confused if this is an issue more relevant to git, curl, or perhaps neither and just SSL certificates in general. Please let me know if the tags for this question should be fixed.
- I could have posted more relevant links and images, but I am limited by reputation.
I have another account that I was not able to maintain a positive reputation on. I am trying to identify and fix everything I was doing wrong before. Any feedback on how I can improve the quality of this question would be much appreciated. Thank you.
2 Solutions collect form web for “SSL: 'unable to get local issuer certificate'”
This is similar to what was reported in Homebrew/brew issue 1625, and documented by Eduard Rozenberg (
Similar-sounding problems also reported by John Siracusa of ATP Podcast on the Dec 7 podcast.
Most likely trigger for the problem: enabling iCloud Keychain in iCloud settings
One or more observable symptoms when issue is happening:
- A pop-up MacOS message that keychain has to be repaired/reset
- When looking at Keychain Access tool, keychains appear to be empty and set to Read-Only mode
- When looking at Keychain Access tool, keychain icons on sidebar are missing (dotted borders)
- Trying to navigate to https://google.com in Google Chrome fails with an SSL CERT error
Running brew search pip for example, shows the curl (35) certificate error message
The problem can be temporarily resolved by logging out and back in, and/or rebooting. After it is resolved, the Keychain Access tool will show all the keychains and their contents as it should. The problem is likely to recur at a later time.
Hoping (fingers X) that a Mac OS patch (maybe 10.12.2?) will resolve the root cause.
Otherwise one idea is to disable the iCloud Keychain option in iCloud prefs (have not yet tried).
Since you in in Mac Sierra 10.12.4… I suspect no patch did solve this yet.
This other issue mentions (by jamver):
I encountered this issue specifically after updating to macOS Sierra (10.12), with resolution coming from the workaround from this legacy-homebrew ticket:
cd ~ sudo wget http://curl.haxx.se/ca/cacert.pem export CURL_CA_BUNDLE=~/cacert.pem
FWIW, this solved most, but not all issues. The others I resolved by manually downloading the packages using wget and placing them in the Homebrew Cache Dir.
I’d be interested to know the correct fix. e.g. Update system ca bundle? Apple patch required for system bundle?
I needed to run
brew doctor and fix an issue. Then I needed to restart my shell. Finally, after those 2 steps, brew install worked again.
Unfortunately, I was not able to identify which warning was pointing at the perpetrator. When I first ran
brew doctor, there were probably about 10 warnings. I cleared a lot of them before I realized I needed to restart my shell, and after restarting it worked.
I think I found the root of the problem:
Warning: Setting DYLD_* vars can break dynamic linking. Set variables: DYLD_LIBRARY_PATH: /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64
Commenting out the line
set -x DYLD_LIBRARY_PATH /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64
~/.config/fish/config.fish and then restarting my shell seems to fix the problem for me so far.
Thanks @VonC for referencing the issue that lead me to attempt