routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed的问题

使用git通过https方式从github clone git repo源码时，报错如下：

[cnangel@r101073184 works]$git clone https://github.com/facebook/hhvm.git hhvm Cloning into 'hhvm'... fatal: unable to access 'https://github.com/facebook/hhvm.git/': SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

开启curl verbose选项（用于调试）并重新执行git clone，详细报错信息：

[cnangel@r101073184 ~]$git clone https://github.com/facebook/hhvm.git Cloning into 'hhvm'... * Couldn't find host github.com in the .netrc file, using defaults * About to connect() to github.com port 443 * Trying 192.30.252.129... * connected * Connected to github.com (192.30.252.129) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 fatal: unable to access 'https://github.com/facebook/hhvm.git/': SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

从错误提示可知，git通过curl访问https地址时，未能在本机未找到ca证书，从而导致ssl certificate verify failed。 解决方法： 1，从curl官网下载cacert.pem文件（下载链接参见这里，关于curl的Server SSL Certificates细节参见这里，其中提到，从curl 7.18.0开始，编译安装curl时默认安装ca证书，而我机器的curl version=7.12.1，curl --version可查看）：

[cnangel@r101073184 ~]$sudo mkdir -p /etc/pki/tls/certs/git/https-ca [cnangel@r101073184 ~]$cd /etc/pki/tls/certs/git/https-ca [cnangel@r101073184 ~]$sudo curl http://curl.haxx.se/ca/cacert.pem -o cacert.pem

2，终端执行下面的命令，以便为git配置ca认证信息：

[cnangel@r101073184 ~]$git config --global http.sslCAInfo /etc/pki/tls/certs/git/https-ca/cacert.pem

可打开~/.gitconfig确认cainfo配置成功写入git配置文件 完成以上两步后，执行git clone https://github.com/facebook/hhvm.git成功，问题解决。