The error SSL certificate problem: unable to get local issuer certificate (or its variants) is one of the most common development headaches. It means the tool can’t verify the server’s certificate chain — usually because the CA root certificates on your system are outdated or missing.
This guide covers proper fixes — not just -k / --insecure workarounds that disable security.
The root cause
Your tools verify SSL certificates against a CA bundle — a file containing trusted root certificates. When this bundle is outdated, missing, or the server has an incomplete chain, verification fails.
Your tool → "Is this certificate signed by a CA I trust?"
CA bundle → "I don't have that CA's root certificate"
→ ERROR: unable to get local issuer certificatecurl
Error
curl: (60) SSL certificate problem: unable to get local issuer certificateFix 1: Update CA certificates (correct fix)
# Debian/Ubuntu
sudo apt update && sudo apt install ca-certificates
sudo update-ca-certificates
# CentOS/RHEL
sudo yum update ca-certificates
# macOS (Homebrew curl)
brew install ca-certificatesFix 2: Specify CA bundle path
curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.comFix 3: Set environment variable
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crtDon’t do this (unless testing)
curl -k https://example.com # Disables ALL certificate verificationGit
Error
fatal: unable to access 'https://...': SSL certificate problem: unable to get local issuer certificateFix 1: Update CA certificates (same as curl)
sudo apt update && sudo apt install ca-certificatesFix 2: Point Git to the correct CA bundle
git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crtFix 3: On Windows (Git for Windows)
Git for Windows bundles its own CA certs. Update Git to the latest version, or:
git config --global http.sslBackend schannelThis tells Git to use Windows’ built-in certificate store instead of its bundled one.
Don’t do this in production
git config --global http.sslVerify false # Disables ALL SSL verification for GitPython (requests / pip)
Error (requests)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]Error (pip)
pip install ... Could not fetch URL https://...: connection error: [SSL: CERTIFICATE_VERIFY_FAILED]Fix 1: Update certifi (Python’s CA bundle)
pip install --upgrade certifiPython’s requests library uses the certifi package for CA certificates, not the system store.
Fix 2: Point to system CA bundle
import requests
response = requests.get('https://example.com', verify='/etc/ssl/certs/ca-certificates.crt')Or environment variable:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crtFix 3: macOS Python (common issue)
macOS Python often has an empty certificate store after install. Run:
# Find your Python install
python3 -c "import ssl; print(ssl.get_default_verify_paths())"
# Install certificates (macOS Python from python.org)
/Applications/Python\ 3.x/Install\ Certificates.commandFix for pip specifically
pip install --upgrade pip
pip config set global.cert /etc/ssl/certs/ca-certificates.crtNode.js
Error
Error: unable to get local issuer certificate
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'Fix 1: Set NODE_EXTRA_CA_CERTS
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crtThis adds extra CAs without replacing Node’s built-in bundle.
Fix 2: For self-signed certs in development
// Only for development — adds a specific CA
const https = require('https');
const fs = require('fs');
const agent = new https.Agent({
ca: fs.readFileSync('/path/to/custom-ca.pem'),
});
fetch('https://internal-service.local', { agent });Don’t do this in production
export NODE_TLS_REJECT_UNAUTHORIZED=0 # Disables ALL SSL verificationCorporate proxy / enterprise environments
Many corporate networks use a TLS inspection proxy that re-signs traffic with an internal CA. Your tools don’t trust this internal CA.
Fix: Get the corporate CA certificate from your IT department and add it:
# System-wide (Debian/Ubuntu)
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# Python
export REQUESTS_CA_BUNDLE=/path/to/corporate-ca-bundle.pem
# Node.js
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem
# Git
git config --global http.sslCAInfo /path/to/corporate-ca-bundle.pemDocker containers
Docker images often have outdated CA bundles. Fix:
# Debian-based
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates
# Alpine
RUN apk add --no-cache ca-certificatesQuick diagnosis
# Test if the SSL connection works with openssl
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | grep "Verify return code"
# "0 (ok)" = chain is fine, your tool's CA bundle is the problem
# "21 (unable to verify)" = server's chain is incomplete
# Check what CA bundle your system uses
python3 -c "import certifi; print(certifi.where())"
curl-config --ca 2>/dev/null || echo "Check /etc/ssl/certs/"Frequently asked questions
Why does it work in my browser but not in curl/Python?
Browsers maintain their own CA store (updated with the browser). CLI tools use the system’s CA bundle or their own (Python uses certifi, Git for Windows bundles its own). If the system bundle is outdated, CLI tools fail while browsers work fine.
Is it safe to disable SSL verification?
For quick testing: yes, if you understand you’re not verifying the server’s identity. For production code or CI/CD: never. Disabling verification opens you to man-in-the-middle attacks. Always fix the root cause (update CA bundle or fix the server’s chain).
The server’s certificate is fine but I still get errors
Check if your tool is hitting a proxy that re-signs traffic. Corporate networks, some VPNs, and antivirus software do this. The proxy’s CA isn’t in your tool’s trust store.