SSL: 'unable to get local issuer certificate'

Question

I am using OSX: 10.12.4

I originally was able to use git, homebrew and curl without any problems. I don't remember what I did to cause it, but all of a sudden these SSL errors starting appearing in my git commands.

I get unable to get local issuer certificate errors on running any git command. In addition, I get the error when trying to reinstall git using brew install git.

The relevant part of brew output:

Downloading https://www.kernel.org/pub/software/scm/git/git-2.12.2.tar.xz

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

I have tried:

Rebooting
Moving the ~/Library/Keychains folder to ~/Desktop and then rebooting
Navigating to https://www.kernel.org/pub/software/scm/git on safari, and viewing the certificate. According to [these instructions](cannot post more than 2 links, sorry), there should be a checkbox to "Always trust" the site. I do not see this checkbox.
I was going to try keychain first aid, however, this feature has been removed in the most recent Mac OS.
I tried looking through many other similar questions, however, with many, I had trouble understanding or following the instructions in the answers.

For example, perhaps squid808's answer to a similar question could help me. He says "Instead, it is the Root CA Cert from our domain that I should have been exporting and telling Git to trust." I have little understanding of what this means or if it is relevant to me, or how I would go about doing this. Based on my research it seems like this is more for people running servers. It also seems to be for windows, and I am on Mac.

I understand that as a temporary fix I can use git config --global http.sslVerify false in addition to the -k option in curl. These workarounds are insecure, so I'd like to get my SSL security back up and running ASAP.

Output of curl -L https://homebrew.bintray.com/bottles/libpng-1.6.29.sierra.bottle.tar.gz | bash -s stable (part of a brew attempt that similarly fails)

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Apologies

If the following attempts I've made to solve this seem scattered and disorganized, it is because I am confused if this is an issue more relevant to git, curl, or perhaps neither and just SSL certificates in general. Please let me know if the tags for this question should be fixed.
I could have posted more relevant links and images, but I am limited by reputation.

I have another account that I was not able to maintain a positive reputation on. I am trying to identify and fix everything I was doing wrong before. Any feedback on how I can improve the quality of this question would be much appreciated. Thank you.

Whats is the output of `\curl -L | bash -s stable ` – CodeWizard Apr 06 '17 at 04:06 — CodeWizard, Apr 06 '17 at 04:06
@CodeWizard see my updated question. – Matt Groth Apr 06 '17 at 17:27 — Matt Groth, Apr 06 '17 at 17:27

Matt Groth · Answer 1 · 2017-04-07T01:32:58.313

I needed to run brew doctor and fix an issue. Then I needed to restart my shell. Finally, after those 2 steps, brew install worked again.

Unfortunately, I was not able to identify which warning was pointing at the perpetrator. When I first ran brew doctor, there were probably about 10 warnings. I cleared a lot of them before I realized I needed to restart my shell, and after restarting it worked.

I think I found the root of the problem:

Warning: Setting DYLD_* vars can break dynamic linking.
Set variables:
  DYLD_LIBRARY_PATH: /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64

Commenting out the line

set -x DYLD_LIBRARY_PATH /Applications/MATLAB/MATLAB_Runtime/v92/runtime/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/sys/os/maci64:/Applications/MATLAB/MATLAB_Runtime/v92/bin/maci64

in ~/.config/fish/config.fish and then restarting my shell seems to fix the problem for me so far.

Thanks @VonC for referencing the issue that lead me to attempt brew doctor.

score 1 · Accepted Answer · answered Apr 06 '17 at 05:00

This is similar to what was reported in Homebrew/brew issue 1625, and documented by Eduard Rozenberg (edrozenberg):

Similar-sounding problems also reported by John Siracusa of ATP Podcast on the Dec 7 podcast.

Most likely trigger for the problem: enabling iCloud Keychain in iCloud settings

One or more observable symptoms when issue is happening:

A pop-up MacOS message that keychain has to be repaired/reset

When looking at Keychain Access tool, keychains appear to be empty and set to Read-Only mode

When looking at Keychain Access tool, keychain icons on sidebar are missing (dotted borders)

Trying to navigate to https://google.com in Google Chrome fails with an SSL CERT error Running brew search pip for example, shows the curl (35) certificate error message

The problem can be temporarily resolved by logging out and back in, and/or rebooting. After it is resolved, the Keychain Access tool will show all the keychains and their contents as it should. The problem is likely to recur at a later time.

Hoping (fingers X) that a Mac OS patch (maybe 10.12.2?) will resolve the root cause.

Otherwise one idea is to disable the iCloud Keychain option in iCloud prefs (have not yet tried).

Since you in in Mac Sierra 10.12.4... I suspect no patch did solve this yet.

This other issue mentions (by jamver):

I encountered this issue specifically after updating to macOS Sierra (10.12), with resolution coming from the workaround from this legacy-homebrew ticket:

cd ~
sudo wget http://curl.haxx.se/ca/cacert.pem
export CURL_CA_BUNDLE=~/cacert.pem

FWIW, this solved most, but not all issues. The others I resolved by manually downloading the packages using wget and placing them in the Homebrew Cache Dir.

I'd be interested to know the correct fix. e.g. Update system ca bundle? Apple patch required for system bundle?

score 0 · Answer 3 · answered Sep 29 '21 at 22:43

0

I had this issue tonight, fixing clock's timezone to either "auto" or local one fixed it.

I received my client's laptop in France and timezone was set to another place in Canada.

Changed it, restarted then everything worked fined again.

answered Sep 29 '21 at 22:43

Pierre CHARLES

21
2

SSL: 'unable to get local issuer certificate'

3 Answers3