diff --git a/pkg/apis/application/v1alpha1/repository_types.go b/pkg/apis/application/v1alpha1/repository_types.go
index f2a72d047ad8c..9c17e116c2bc5 100644
--- a/pkg/apis/application/v1alpha1/repository_types.go
+++ b/pkg/apis/application/v1alpha1/repository_types.go
@@ -195,30 +195,40 @@ func (repo *Repository) GetHelmCreds() helm.Creds {
 }
 
 func getCAPath(repoURL string) string {
-	hostname := ""
+	// For git ssh protocol url without ssh://, url.Parse() will fail to parse.
+	// However, no warn log is output since ssh scheme url is a possible format.
+	if ok, _ := git.IsSSHURL(repoURL); ok {
+		return ""
+	}
 
+	hostname := ""
 	// url.Parse() will happily parse most things thrown at it. When the URL
 	// is either https or oci, we use the parsed hostname to retrieve the cert,
 	// otherwise we'll use the parsed path (OCI repos are often specified as
 	// hostname, without protocol).
-	if parsedURL, err := url.Parse(repoURL); err == nil {
-		if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
-			hostname = parsedURL.Host
-		} else if parsedURL.Scheme == "" {
-			hostname = parsedURL.Path
-		}
-	} else {
+	parsedURL, err := url.Parse(repoURL)
+	if err != nil {
 		log.Warnf("Could not parse repo URL '%s': %v", repoURL, err)
+		return ""
+	}
+	if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
+		hostname = parsedURL.Host
+	} else if parsedURL.Scheme == "" {
+		hostname = parsedURL.Path
 	}
 
-	if hostname != "" {
-		if caPath, err := cert.GetCertBundlePathForRepository(hostname); err == nil {
-			return caPath
-		} else {
-			log.Warnf("Could not get cert bundle path for repository '%s': %v", repoURL, err)
-		}
+	if hostname == "" {
+		log.Warnf("Could not get hostname for repository '%s'", repoURL)
+		return ""
+	}
+
+	caPath, err := cert.GetCertBundlePathForRepository(hostname)
+	if err != nil {
+		log.Warnf("Could not get cert bundle path for repository '%s': %v", repoURL, err)
+		return ""
 	}
-	return ""
+
+	return caPath
 }
 
 // CopySettingsFrom copies all repository settings from source to receiver
diff --git a/pkg/apis/application/v1alpha1/types_test.go b/pkg/apis/application/v1alpha1/types_test.go
index e3eb17214d036..59f61426befb1 100644
--- a/pkg/apis/application/v1alpha1/types_test.go
+++ b/pkg/apis/application/v1alpha1/types_test.go
@@ -2867,6 +2867,7 @@ func TestGetCAPath(t *testing.T) {
 		"oci://bar.example.com",
 		"bar.example.com",
 		"ssh://foo.example.com",
+		"git@example.com:organization/reponame.git",
 		"/some/invalid/thing",
 		"../another/invalid/thing",
 		"./also/invalid",