How to import a CA cert to use with git https connections?

Issue

We can not connect by https to out git server, it returns a Peer certificate cannot be authenticated with known CA certificates message

stderr: fatal: unable to access 'https://git.example.com/user/repo.git/': Peer certificate cannot be authenticated with known CA certificates▼

Environment

CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
CloudBees Jenkins Enterprise - Managed controller
CloudBees Jenkins Distribution
Jenkins LTS
Git plugin

Resolution

Git uses curl to access the https servers, so you need to import the certificate into the CA store of the system.

The steps to import the certificate on your system CA store vary depending on your OS:

Debian/Ubuntu

openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > example_com.crt
sudo cp example_com.crt /usr/local/share/ca-certificates/example_com.crt
sudo update-ca-certificates▼

update-ca-certificates

Red Hat Enterprise Linux/Fedora/CentOS

openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > example_com.crt
sudo cp example_com.crt /etc/pki/ca-trust/source/example_com.crt
sudo update-ca-trust enable
sudo update-ca-trust extract▼

update-ca-trust

Workaround

The workaround is to define the environment variable GIT_SSL_NO_VERIFY=1 on your Agent environment variables. Be aware that this is ultimately unsafe, insecure, and not recommended. Please only use the workaround if no other options are available.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.