0

For a while now one specific user on my fedora 40 machine fails to clone any git repo at all with this error:

SSL certificate problem: unable to get local issuer certificate

Since the root user was not having this problem I created another regular user to test with. I created it with an empty home dir and that new user has no git problems whatsoever. Both users have empty gitconfig files and the system configuration file at /etc/gitconfig is empty as well.

Now I imagine there is some file somewhere in my homedir that is causing this problem but short of just nuking the user and recreating it I'm not sure how to troubleshoot this. I've tried removing and reinstalling git but it made no difference.

Most of the search results seem to deal with this problem on Windows and the linux ones are not specific to this either.

Originally the /etc/gitconfig file had this contents but even then it made no difference, the problem was exactly the same:

[http]
       sslCAPath = /etc/ssl/certs/

git config --list gives an empty result with both users. curl works fine and I have no other SSL issues generally on either user so this seems like a very specific git problem I can't pinpoint.

Right now the only workaround is to disable SSL verification which is obviously not a workable longterm solution.

  • GIT version 2.47.1 and
  • kernel 6.12.7-100
6
  • 1
    Have you checked all of the user's config files? (There's more than ~/.gitconfig, e.g. the alternate location in ~/.config/git.) Have them run git config --list --show-origin and diff against the output from a working account. Try running strace -f git clone https://... to see which files (e.g. CA bundles or config files) it is trying to access. Since Git uses libcurl, test with curl https://. Commented Jan 7 at 13:35
  • @grawity curl works fine. Also git config --list --show-origin comes up empty in both users. However stracing does bring up something interesting. For some reason it's looking into my Nextcloud/Certs for certificates which only contains one unrelated cert. Removing that file changes the error to error setting certificate file. So for reasons unknown it's only looking into that location for SSL certificates Commented Jan 7 at 14:17
  • 1
    Can you check whether any openSSL configuration environment variables are set? export | grep -i ssl might be helpful. Commented Jan 7 at 15:52
  • 1
    if that yields nothing: I often do this: As the user where it works, run strace -f -o /tmp/git.working.strace git clone …. As the user where it doesn't work, run strace -f -o /tmp/git.broken.strace git clone …. As someone who can read both files in /tmp/, run git diff --word-diff /tmp/git.{broken,working}.strace and scroll until things start to diverge fundamentally. Commented Jan 7 at 15:59
  • @MarcusMüller What do ya know, there were in fact environmental variables messing up the CAPath. Thanks, that fixed it. Commented Jan 7 at 18:24

1 Answer 1

1

So as per MarcusMüller's comment, there were in fact environment variables modifying the default CAPath. The specific culprit was:

export GIT_SSL_CAPATH

This was in ~/.bashrc. Removing that fixed the issue.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.