Guide for configuring HTTPS on Ubuntu 14.04? Can't push or clone with https

Similar problems to this guy, who got no help and no suggestions in 5 months, which is troubling to me:

We have SSH clone and push working, but not HTTPS.

With Git 2.7.x on Windows clients:

X:\Temp\gitlab\project>git clone
Cloning into ‘personal1’…
fatal: unable to access ‘’: SSL certificate problem: unable to get local issuer certificate

Watching the server logs with gitlab-ctl tail, we see this in the server Log:

> /var/log/gitlab/nginx/gitlab_error.log <
2016/04/26 13:21:25 [crit] 47733#0: *31 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client:, server:

Advanced degrees in Googling Error messages suggests from a stackoverflow post that the above is an OpenSSL bug, but not sure.

Workaround we know about is to type set GIT_SSL_NO_VERIFY=true before we do the git clone, but this is bad as it disables ALL SSL verifications.

Found some references to having to manually set up a chain of certificates for nginx to work:

Use an SSL Checker to verify your SSL Certificate is installed properly

If you are using a paid SSL (not self-signed) you are likely missing Intermediate certificates, which are required to fully validate an SSL certificate.

Unlike Apache, you cannot specify a Chain/Intermediate separately. With NGINX you need to create your own chain by concatenating your certificates.

$ cat bundle.crt >

Read the full details under “SSL certificate chains” here:


Ok I found that various people have various solutions:

  1. Some people claim that special nginx configuration steps are required including chaining by concatenating certificates. We already had our certificate configured and I believe that everything was fine though.

  2. Some people are just turning off SSL verification and that appears to be bad.

  3. Some people are modifying their ca-bundle.crt file and this appears to be a working solution for me.

The solution is in two pieces for me:

  1. On each git workstation, on your .gitconfig create a per-server different ca-bundle.crt, like this:

[http “”]
sslCAInfo = “/path/to/custom/ca-bundle.crt”

  1. Repair the ca-bundle.crt to add the missing signing CAs. I have attached our repair which added a missing CA that we needed: (ca-bundle.crt example)

1 Like