Openssl : error "self signed certificate in certificate chain"

P

8

47

When I used openssl APIs to validate server certificate (self signed), I got following error :

error 19 at 1 depth lookup:self signed certificate in certificate chain

As per openssl documentation, this error (19) is

"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally."

Why this error occurs ? Any problems with my server certificate ?

Parttime answered 29/8, 2012 at 14:42 Comment(0)

E

35

You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.

To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.

Have a look at this link about installing self-signed certificates.

Eduction answered 29/8, 2012 at 14:52 Comment(0)

D

27

Here is one-liner to verify certificate to be signed by specific CA:

openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem

This doesn't require to install CA anywhere.

See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.

Dotted answered 15/9, 2015 at 6:34 Comment(0)

G

12

The solution for the error is to add this line at the top of the code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Gyimah answered 18/3, 2019 at 11:36 Comment(5)

i would consider this a work around or an option for testing. it should not be persistant because it undermines the available security. – Stans 17/4, 2019 at 7:34

This seems to be specific to Node.js, if I'm not mistaken. – Actin 18/11, 2019 at 18:2

It is NodeJS-specific and just disables all certificate checks. You could do this but only if you really know what you're doing. Just putting this in here as an answer is bad because whoever is using this doesn't get any information on what they're doing. – Tumult 17/3, 2021 at 9:19

This is not a solution. -10 – Oligochaete 4/11, 2021 at 23:46

I am fine using this for development. DevOps can deal with certs on production however they want. – Ruttger 25/10, 2022 at 10:8

E

5

If you're running Charles and trying to build a docker container then you'll most likely get this error.

Make sure to disable Charles (macos) proxy under proxy -> macOS proxy

Charles is an

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

So anything similar may cause the same issue.

Electrotechnology answered 22/11, 2019 at 9:22 Comment(2)

worked for me even though I didn't have Charles open at the time I hit the error. – Fillet 12/8, 2020 at 12:21

Thanks. I am using TLS connections with Postgres, Charles was causing them to fail. – Zymase 28/11, 2021 at 20:37

C

0

if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"

Cristinecristiona answered 25/11, 2022 at 10:56 Comment(0)

L

0

if you are using mtls it is expected, if it is tls only it is not normal, and potentially man on the middle attack

Lavish answered 20/12, 2023 at 14:4 Comment(0)

I

0

You can try to update CA certificates as below(Worked for me):

For Linux users(Run below):

apt-get update ca-certificates
yum update ca-certificates

if you use RVM, run below:

rvm osx-ssl-certs update all

For Mac users(Run below):

brew upgrade ca-certificates
rvm osx-ssl-certs update all

If you do not use RVM, refer: Source

Icelandic answered 7/5 at 9:25 Comment(0)

S

-1

You can also skip the SSL verification globally using the command:

git config --global http.sslVerify false

Snowwhite answered 16/3, 2023 at 14:32 Comment(0)

Recommended topics

Hot tags