Git Commands throwing "unable to get local issuer certificate" when WSS agent is enabled
Article ID: 224147
Updated On:
Products
Issue/Introduction
WSS agent running on Windows host and sending all web traffic into WSS
Developer running git and seeing SSL certificate errors running git command
"unable to get local issuer certificate" error displayed on git side
Cause
Git, as with many developer apps, implements certificate pinning. As WSS inspects the traffic and adds it's own server certificate and issuer, any apps using cert pinning will break.
Environment
WSS Agent
Resolution
Add an SSL inspection bypass list for the domain reported in the error e.g. dev.azure.com.
Additional Information
There are certain cases where the domain reported may not be the problem domain, but may reference another domain that fails the SSL handshake. It is always important to check PCAPs to confirm the SSL handshake failure matches the domain reported and add the domain exception for all SSL handshakes that fail. In this case, the PCAPs matches and we could see the SSL handshake failure immediately after the cert was pushed down. This cert was confirmed to be issued by WSS, and not the Git back end and hence the error was triggered on the App side.
Attachments
Feedback
