SSL Certificate Troubleshooting
This guide helps you resolve SSL certificate issues when connecting to YouTrack instances with custom SSL certificates.
Common SSL Errors
Certificate Verification Failed
Error Message:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
Cause: This error occurs when the system cannot verify the SSL certificate because it doesn’t have the necessary Certificate Authority (CA) certificates.
Solution: Use one of the following options:
Use CA Bundle (Recommended):
`bash yt auth login --ca-bundle /path/to/ca-bundle.crt `Use Certificate Chain File:
`bash yt auth login --cert-file /path/to/full-chain.pem `Disable SSL Verification (Not Recommended):
`bash yt auth login --no-verify-ssl `
Understanding Certificate Types
Server Certificate vs CA Bundle
Server Certificate: The certificate presented by the YouTrack server (e.g., for *.example.com)
CA Bundle: A file containing Certificate Authority certificates needed to verify the server certificate
Certificate Chain: A file containing both the server certificate and the CA certificates
For SSL verification to work, you need the CA certificates, not just the server certificate.
Creating a CA Bundle
For DigiCert/GeoTrust Certificates
If your certificate is issued by DigiCert or GeoTrust (like the example certificate), create a CA bundle containing the intermediate and root certificates:
Download the CA certificates: - GeoTrust TLS RSA CA G1 (intermediate) - DigiCert Global Root CA (root)
Create the CA bundle file:
`bash cat intermediate.crt root.crt > ca-bundle.crt `Use with YouTrack CLI:
`bash yt auth login --ca-bundle /path/to/ca-bundle.crt `
For Self-Signed Certificates
Create a CA bundle with your root CA:
`bash cp your-root-ca.crt ca-bundle.crt `Use with YouTrack CLI:
`bash yt auth login --ca-bundle /path/to/ca-bundle.crt `
Environment Variables
You can also set SSL configuration via environment variables:
`bash
export YOUTRACK_CA_BUNDLE=/path/to/ca-bundle.crt
export YOUTRACK_CERT_FILE=/path/to/cert-chain.pem
export YOUTRACK_VERIFY_SSL=true
`
Testing SSL Configuration
Test Certificate File
Verify that your certificate file is valid:
`bash
openssl x509 -in certificate.pem -text -noout
`
Test Connection
Test SSL connection to your YouTrack instance:
`bash
openssl s_client -connect your.youtrack.domain:443 -CAfile /path/to/ca-bundle.crt
`
Common Issues and Solutions
Certificate Chain Issues
Problem: “unable to get local issuer certificate” Solution: Ensure your CA bundle contains all intermediate certificates in the chain.
Wrong File Type
Problem: Certificate verification still fails with correct files Solution: Ensure certificate files are in PEM format, not DER or other formats.
Missing Root CA
Problem: Chain verification works partially but still fails Solution: Add the root CA certificate to your CA bundle.
Best Practices
Use CA bundles instead of disabling SSL verification
Keep certificates updated before expiration
Store certificates securely with appropriate file permissions
Test certificate configuration before deploying to production
Use absolute paths when specifying certificate files
Example Configuration
Complete SSL setup example:
# 1. Create CA bundle with intermediate and root certificates
cat geotrust-tls-rsa-ca-g1.crt digicert-global-root-ca.crt > youtrack-ca-bundle.crt
# 2. Set proper file permissions
chmod 644 youtrack-ca-bundle.crt
# 3. Login with CA bundle
yt auth login \
--base-url https://your.youtrack.domain \
--ca-bundle /path/to/youtrack-ca-bundle.crt
# 4. Verify connection
yt projects list
Getting Help
If you continue to experience SSL certificate issues:
Check the certificate chain with OpenSSL tools
Verify that all intermediate certificates are included
Ensure certificate files are readable by the CLI
Consider using
--no-verify-ssltemporarily for testing (disable for production)
For additional support, check the troubleshooting section in the main documentation.