search cancel

Git Commands throwing "unable to get local issuer certificate" when WSS agent is enabled


Article ID: 224147


Updated On:


Web Security Service - WSS


WSS agent running on Windows host and sending all web traffic into WSS

Developer running git and seeing SSL certificate errors running git command

"unable to get local issuer certificate" error displayed on git side


Git, as with many developer apps, implements certificate pinning. As WSS inspects the traffic and adds it's own server certificate and issuer, any apps using cert pinning will break. 



WSS Agent


Add an SSL inspection bypass list for the domain reported in the error e.g.


Additional Information

There are certain cases where the domain reported may not be the problem domain, but may reference another domain that fails the SSL handshake. It is always important to check PCAPs to confirm the SSL handshake failure matches the domain reported and add the domain exception for all SSL handshakes that fail. In this case, the PCAPs matches and we could see the SSL handshake failure immediately after the cert was pushed down. This cert was confirmed to be issued by WSS, and not the Git back end and hence the error was triggered on the App side.