我在GitLab服务器上遇到了这个问题。通过cmd更新Linux的可信CA列表后解决了这个问题:

sudo apt-get install --reinstall ca-certificates

以下是步骤:

git跟踪返回如下错误:

 GIT_CURL_VERBOSE=1 GIT_TRACE=2 git clone https://mygitlab
...
...

* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 0
**fatal: unable to access 'https://mygitlab/some.git/': server certificate verification failed. CAfile: none CRLfile: none**

查看git服务器的CA Issuer:

echo -n | openssl s_client -showcerts -connect yourserver.com:YourHttpGilabPort \
  2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  | openssl x509 -noout -text | grep"CA Issuers" | head -1
...
...

CA Issuers - URI:http://r3.i.lencr.org/

为什么r3.i.lencr.org不可信?我尝试更新CA列表，它工作。

基于VonC给出的非常好的答案，我刚刚创建了一个bash脚本，将缺失的x509证书安装到证书包中。它适用于基于debian的linux发行版。

#!/bin/bash

CERTIFICATE_PEM=certificate.pem
CERTIFICATE_CRT=certificate.crt

# get certificate
echo -n | openssl s_client -showcerts -connect gitlab.sehlat.io:443 \
  2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  > $CERTIFICATE_PEM

# format certificate from PEM (human-readable) to CRT
openssl x509 -in $CERTIFICATE_PEM -out $CERTIFICATE_CRT

# move it to ca-certificates folder & update the bundle file
sudo mv ./$CERTIFICATE_CRT /usr/local/share/ca-certificates/
sudo update-ca-certificates

# configuring git
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

GIT_CURL_VERBOSE=1 git [clone|fetch]…

应该能告诉你问题在哪里。在我的例子中，这是因为cURL在基于NSS构建时不支持PEM证书，因为这种支持在NSS中不是主线(#726116 #804215 #402712等等)。

也有同样的问题。由自己颁发的证书颁发机构引起。 通过在/usr/local/share/ca-certificates/中添加.pem文件解决 和调用

sudo update-ca-certificates

PS:“/share/ca-certificates”文件夹下的pem文件必须有扩展名。crt

最后，添加http。Sslverify到你的.git/config。

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://server/user/project.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
[http]
        sslVerify = false

最后更新:2021年9月30日|参见所有文档

一个平台是否能够验证Let’s Encrypt证书的主要决定因素是该平台是否信任ISRG的“ISRG Root X1”证书。在2021年9月之前，一些平台可以验证我们的证书，即使他们不包括ISRG根X1，因为他们信任IdenTrust的“DST根CA X3”证书。从2021年10月起，只有那些信任ISRG Root X1的平台才会验证Let’s Encrypt证书(Android除外)。

当前系统

如果你的系统是最新的，但由于某种原因自动更新不起作用，应该有足够的:

apt update
apt upgrade
sudo dpkg-reconfigure ca-certificates

在reconfigure阶段，取消选择“DST根CA X3”证书

过时的系统

要解决，在旧的Linux服务器上，如Ubuntu 16或Debian 8 jessie，需要几个步骤:

upgrade openssl to anything >=1.0.2 On Debian jessie enable backports source, add this line to sources.list: deb http://archive.debian.org/debian jessie-backports main contrib non-free and do apt-get install -t jessie-backports openssl ensure security updates for ca-certificates package apt upgrade download latest LetsEncrypt root CA certs: sudo curl -k https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt sudo dpkg-reconfigure ca-certificates during reconfigure stage, please deselect "DST Root CA X3" certificate

在这些步骤之后，apt update应该适用于基于LetsEncrypt的源代码，wget和curl应该不会抱怨。

特别注意curl -k允许连接“不安全”的SSL服务器，因为LetsEncrypt证书不受信任。