NOTE: If you're not expecting to be behind some firewall, Do not follow these steps. You are possibly being man-in-the-middled and should verify that first
This error is thrown when the TLS certificate that is used to secure a request has a Root CA that isnt trusted by the verifying program. This happens at many companies due to firewall configuration. They will usually terminate all requests to inspect them, then reencrypt the request with its own CA cert.
Normally, this isnt an issue because the Windows Certificate Store, the collection of CA certificates that windows trust, is controlled by group policy and will have ITs's certificate installed.
However, many cross platform applications dont use the Windows Certificate Store for some reason. They often will use the library OpenSSL to handle SSL/TLS requests. OpenSSL comes with a list of publicly trusted certificates, and only refers to this list when it verifies a request. This leads to security errors like 'Unable to get local issuer certificate' to be thrown and the request to be rejected.
To remedy this problem, you will need to refer to the documentation for the given application on how you can supply external certificates for OpenSSL to verify against.
Searching the internet for "[Application] Self signed certificate windows", or the error you get will usually lead you to the correct documentation.
Exporting the Certificate Sometimes, for example Node, you cant tell it to refer to the Windows Certificate Store, and your only option is to supply it a file or folder containing the certificate. This is less desierable, as it will break if infrastructure ever updates the certificate they use, but still workable.
The simpliest way to export the current certificate is to use a web browser, like chrome.
In Chrome, go to a website with https, like https://www.google.com.
On the far left of the URL bar, there is a green lock icon with the text "Secure" (or in the case of an EV cert, the name of the issued-to company).
Click this icon, then 'Certificate.'
Go to the 'Certification Path' tab, and double click the top level certificate.
Go to the 'Details' tab, click "Copy to file..." and follow the wizard.
Most applications will want a 'Base-64 encoded X.509 (.CER)' file, however that is subject to the specific application.
Note: In some cases, like Node, it asks for a .PEM file, I dont know why, but a 'Base-64 encoded X.509 (.CER)' works perfectly too.
Export the certificate to a folder
Note; This path will need to be accessible to any application that could need it, so dont put it where file permission will get in the way
Ive collected a few common programs and how to configure them here.
Git
On instilation, git will ask you where you want it to get its certificates from. By default it uses OpenSSL, but there is an option on instalation to use the Windows Certificate Store instead.
You can simply rerun the installer to reconfigure this, selecting the correct option when it askes you where you want to get your certificates from.
Node
Node, starting with verison 7.3, has an enviroment variable you can set.
Simply set the enviroment variable `NODE_EXTRA_CA_CERTS` to the path to your .CER file, and restart any application that is having issues.
See the docs here;
https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file
VSTS Build / Deploy agents
These agents run on Node, so see that section on configuring them
VSTS CLI
Set an enviroment variable 'REQUESTS_CA_BUNDLE' to the path to your .CER file, and restart any application that is having issues.
See here for more info
https://github.com/Microsoft/vsts-cli/issues/76#issuecomment-349066813