We get SSL certificate problem: unable to get local issuer certificate

System Information

Microsoft Windows Server 2022 Datacenter
Microsoft SQL Server Enterprise 15
VMware 7.1
Git 2.43.0.windows.1
TeamCity 2023.05.4 (build 129421)
TeamCity is configured to use native Git

We use Azure DevOps for source control (Git)

We encounter the following error:

Test connection failed in DevOps / test_vcs
git -c core.askpass=C:\TeamCity\temp\pass17871110321836977759.bat -c credential.helper= ls-remote origin command failed.
exit code: 128
stderr: fatal: unable to access 'https://<COMPANY>.visualstudio.com/<PROJECT>/_git/<REPOSITORY>/': SSL certificate problem: unable to get local issuer certificate

All of our code repositories are in Azure DevOps, and the fetch url always has the following format:


The problem is a majority of our repositories work correctly. A small number get the error.

The problem started on 2024-02-09. We installed the security plugin CVE-2024-23917 on 2024-02-08, but I don't think that was the problem because the last successful build was early 02-09.

Why would changing the URL path give us an SSL certificate error?

Running git from the command line on the TeamCity server works correctly.

I setup the free version of TeamCity on a different machine, configured a test VCS with the failing fetch URL and credentials. It works correctly.

The problem appears to be a configuration issue on our server.

We tried updated all certificates on the server and restarting the virtual machine.

We have a certificate in the root project that is also installed on each Agent so we can use HTTPS between them. The certificate is signed by our organization using a signing certificate signed by DigiCert.

I tried turning off git ssl verification:

git config --global http.sslVerify "false"
git config --system http.sslVerify "false"

There was no change. In any case, why would TeamCity use a different SSL certificate for each VCS. Why are they not all failing? Is there something in the database that links a certificate to a URL?

It is not clear to me that the error reported is even the actual problem.

What should I try next? Any help is appreciated.

Our next step might be to create a new server and start from scratch. I might also try deleting all VCS instances and recreating them. These options are painful because we have 100+ projects.



Please sign in to leave a comment.