Jenkins pipeline script blocking git pull due to error "SSL certificate problem: unable to get local issuer certificate" (Bitbucket)

Question

my jenkins pipeline script is extremely simple (so far), see below

node{
    stage('Scm Checkout'){
        git credentialsId: 'git-creds', url: 'https://xx@xx/xx.git'
    }
}

Error im getting is SSL certificate problem: unable to get local issuer certificate - im pulling from a bitbucket repo.

Interestingly its failing at the following line:

git.exe fetch --tags --force --progress -- https://xx@xx/xx.git +refs/heads/*:refs/remotes/origin/* # timeout=10

however I can run this fine from git bash if I just run the following command first:

git config --global http.sslVerify false

I saw a post elsewhere where someone was suffering from same issue and his comment was: "Adding following to gitconfig file resolved the issue"

{{[http] }}

sslVerify = false

This may be the solution, but Im not sure what exact steps I need to follow to achieve this

score 1 · Answer 1 · answered Jan 29 '20 at 05:47

Disabling ssl verification is rarely a good solution, and would only be considered for testing (to check for instance if the network connection works)

It is better to define a dummy job which does git config --list, and take note of the http.sslcainfo path for the ca-bundle.crt.

You can add in that bundle the certificates from bitbucket.org (using openssl s_client -showcerts -connect).

matus · Accepted Answer · 2020-02-03T10:42:32.010

If you want to disable ssl verification in git, and don't want to execute the git config ... command in your pipeline, you can edit the git configuration file and add at the end of it

[http]
sslVerify = false

you can do this in different files, depending on whether you want this change to apply only to the current repo, or to all the repos in the same node. I recommend you to take a look at git-config man page

FILES
... there are three files where git config will search for configuration options:

$GIT_DIR/config
Repository specific configuration file. (The filename is of course relative to the repository root, not the working directory.)

~/.gitconfig
User-specific configuration file. Also called "global" configuration file.

$(prefix)/etc/gitconfig
System-wide configuration file.

Adding a step prior to the checkout that inserts this config in the active repo will do the trick, and only impact current repo. Something in the lines of the below code should work

node {
    stages {
        stage('Pre-Checkout') {
            steps {
                sh "git config http.sslVerify false"
            }
        }
        stage('Scm Checkout'){
            git credentialsId: 'git-creds', url: 'https://xx@xx/xx.git'
        }
    }
}

I have not tested the command myself, so there could be some issues there with escaping back-slashes. You can try using `'` (single quote) instead of doubles, or other types of [strings delimiters](http://groovy-lang.org/syntax.html#all-strings) ) Another option is to run the git command to make the config changes (instead of editing the file). Replacing the `echo ...` with `git config http.sslVerify false`. Let me know what works and I will update my answer. — matus, Jan 31 '20 at 10:52
Hi - your second solution works; thanks.....I just needed to replace sh with bat as Im using windows — james murphy, Jan 31 '20 at 23:35
Edited my answer to reflect the solution that worked for the OP — matus, Feb 03 '20 at 13:44

Jenkins pipeline script blocking git pull due to error "SSL certificate problem: unable to get local issuer certificate" (Bitbucket)

2 Answers2