When working with a GitLab instance using a self-signed SSL certificate, attempting to clone a repository over HTTPS often fails with an error like:
fatal: unable to access 'https://gitlab.example.com/group/project.git/':
server certificate verification failed. CAfile: none CRLfile: none
This happens because Git does not trust self-signed certificates by default. Below are safe, step-by-step ways to fix it.
1. Understanding the Problem
Git verifies SSL certificates to ensure the server you’re connecting to is legitimate. Self-signed certificates aren’t trusted by default because they’re not signed by a recognized Certificate Authority (CA).
This means HTTPS connections fail unless Git is explicitly told to trust the certificate.
2. Export the Self-Signed Certificate
Option A: Export via Chrome
- Open your GitLab URL in Chrome:
https://gitlab.example.com
- Click the lock icon in the address bar → Connection is secure → Certificate is valid.
- Go to the Details tab → Click Export….
- Save the certificate as
gitlab-selfsigned.crtin a permanent location:
- Windows:
C:\certs\gitlab-selfsigned.crt - Linux/macOS:
/home/username/certs/gitlab-selfsigned.crt
Option B: Export via Firefox
Firefox doesn’t always allow direct export from the page, but here are two reliable ways:
Method 1: Using Firefox Preferences
- Open Firefox and go to:
about:preferences#privacy
- Scroll down to Certificates → Click View Certificates.
- Go to the Servers tab, find your GitLab domain (
gitlab.example.com), select it → Export… - Save as
gitlab-selfsigned.crt.
Method 2: Using OpenSSL (cross-platform, recommended)
Open a terminal (Linux, macOS, or Git Bash on Windows) and run:
echo | openssl s_client -connect gitlab.example.com:443 -showcerts 2>/dev/null | openssl x509 -outform PEM > gitlab-selfsigned.crt
- This fetches the certificate directly from GitLab.
- Saves it as
gitlab-selfsigned.crtin the current directory.
3. Configure Git to Trust the Certificate
Once you have the .crt file:
Windows:
git config --global http.sslCAInfo "C:/certs/gitlab-selfsigned.crt"
Linux / macOS:
git config --global http.sslCAInfo "/home/username/certs/gitlab-selfsigned.crt"
Verify:
git config --global --get http.sslCAInfo
4. Clone the Repository
Now, you can securely clone your repository over HTTPS:
git clone https://gitlab.example.com/group/project.git
5. Alternative: Use SSH Instead of HTTPS
SSH avoids all certificate issues:
- Generate an SSH key if you don’t have one:
ssh-keygen -t ed25519 -C "your_email@example.com"
Copy the public key (
~/.ssh/id_ed25519.pub) and add it to GitLab:
User Settings → SSH Keys → Add KeyClone via SSH:
git clone git@gitlab.example.com:group/project.git
No SSL certificate issues occur using SSH.
6. Quick & Unsafe Workaround (Testing Only)
You can temporarily disable SSL verification:
git config --global http.sslVerify false
⚠️ Warning: This is insecure. It allows MITM attacks and should never be used permanently.
7. PyCharm Considerations
PyCharm may use a separate Git executable. To ensure it works:
- Go to:
File → Settings → Version Control → Git
- Check the Path to Git executable.
- Click Test.
- Make sure this Git has the
http.sslCAInfoconfiguration set (or use SSH instead).
8. Summary
Recommended workflow for self-signed GitLab:
- Export the self-signed certificate (Chrome or Firefox/OpenSSL).
- Configure Git to trust the certificate.
- Clone via HTTPS.
Alternative: Use SSH to avoid certificate issues entirely.
Avoid: disabling SSL verification permanently — it is insecure.
Top comments (0)