Git Commands throwing "unable to get local issuer certificate" when WSS agent is enabled

book

Article ID: 224147

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS agent running on Windows host and sending all web traffic into WSS

Developer running git and seeing SSL certificate errors running git command

"unable to get local issuer certificate" error displayed on git side

Cause

Git, as with many developer apps, implements certificate pinning. As WSS inspects the traffic and adds it's own server certificate and issuer, any apps using cert pinning will break. 

 

Environment

WSS Agent

Resolution

Add an SSL inspection bypass list for the domain reported in the error e.g. dev.azure.com.

 

Additional Information

There are certain cases where the domain reported may not be the problem domain, but may reference another domain that fails the SSL handshake. It is always important to check PCAPs to confirm the SSL handshake failure matches the domain reported and add the domain exception for all SSL handshakes that fail. In this case, the PCAPs matches and we could see the SSL handshake failure immediately after the cert was pushed down. This cert was confirmed to be issued by WSS, and not the Git back end and hence the error was triggered on the App side.

 

Attachments