我知道已经有很多答案了。对于那些使用专用网络(如Zscaler等)的用户来说，如果需要更新rootcert，则可能会出现此错误。如果在Windows机器上使用WSL，这里有一个关于如何实现此更新的解决方案:

#!/usr/bin/bash

# I exported the Zscaler certifcate out of Microsoft Cert Manager.  It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.

# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt

# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates

# Inform Ubuntu of new cert.
sudo update-ca-certificates 

我搞砸了我的CA文件，而我设置goagent代理。不能从github拉数据，并得到相同的警告:

服务器证书验证失败。CAfile: /etc/ssl/certs/ca-certificates。crt CRLfile:无

使用Vonc的方法，从github获取证书，并将其放入/etc/ssl/certs/ca-certificates。Crt，问题解决了。

echo -n | openssl s_client -showcerts -connect github.com:443 2>/dev/null | sed -ne '/- begin CERTIFICATE-/，/- end CERTIFICATE-/p'

也有同样的问题。由自己颁发的证书颁发机构引起。 通过在/usr/local/share/ca-certificates/中添加.pem文件解决 和调用

sudo update-ca-certificates

PS:“/share/ca-certificates”文件夹下的pem文件必须有扩展名。crt

最后，添加http。Sslverify到你的.git/config。

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://server/user/project.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
[http]
        sslVerify = false

我尝试了很多解决方法，但没有一个对我有效。我有4个运行在ubuntu 16.04上的服务器，我实际上能够解决这个问题的方法有3个(你应该首先sudo apt update):

更新openssl，因为我安装的版本缺少一个修复程序，可以让一些解决方案在这里工作。Sudo apt install——only-upgrade openssl。Openssl至少需要1.0.2g-1ubuntu4.20版本。 然后我必须对certs做同样的事情:sudo apt install——only-upgrade ca-certificates 然后重新配置certs sudo dpkg-reconfigure ca-certificates(我猜是编辑配置文件)并从列表中删除DST_Root_CA_X3才会带来积极的结果。

基于VonC给出的非常好的答案，我刚刚创建了一个bash脚本，将缺失的x509证书安装到证书包中。它适用于基于debian的linux发行版。

#!/bin/bash

CERTIFICATE_PEM=certificate.pem
CERTIFICATE_CRT=certificate.crt

# get certificate
echo -n | openssl s_client -showcerts -connect gitlab.sehlat.io:443 \
  2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  > $CERTIFICATE_PEM

# format certificate from PEM (human-readable) to CRT
openssl x509 -in $CERTIFICATE_PEM -out $CERTIFICATE_CRT

# move it to ca-certificates folder & update the bundle file
sudo mv ./$CERTIFICATE_CRT /usr/local/share/ca-certificates/
sudo update-ca-certificates

# configuring git
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt