Reputation: 8918
Openssl : error "self signed certificate in certificate chain"
When I used openssl APIs to validate server certificate (self signed), I got following error :
error 19 at 1 depth lookup:self signed certificate in certificate chain
As per openssl documentation, this error (19) is
"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally."
Why this error occurs ? Any problems with my server certificate ?
Upvotes: 48
Views: 469081
Answers (8)
Reputation: 248
You can try to update CA certificates as below(Worked for me):
For Linux users(Run below):
apt-get update ca-certificates
yum update ca-certificates
if you use RVM, run below:
rvm osx-ssl-certs update all
For Mac users(Run below):
brew upgrade ca-certificates
rvm osx-ssl-certs update all
If you do not use RVM, refer: Source
Upvotes: 0
Reputation: 505
if you are using mtls it is expected, if it is tls only it is not normal, and potentially man on the middle attack
Upvotes: -2
Reputation: 319
You can also skip the SSL verification globally using the command:
git config --global http.sslVerify false
Upvotes: -2
Reputation: 219
if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"
Upvotes: 0
Reputation: 26160
Here is one-liner to verify certificate to be signed by specific CA:
openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem
This doesn't require to install CA anywhere.
See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.
Upvotes: 28
Reputation: 17606
If you're running Charles and trying to build a docker container then you'll most likely get this error.
Make sure to disable Charles (macos) proxy under proxy -> macOS proxy
Charles is an
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
So anything similar may cause the same issue.
Upvotes: 5
Reputation: 257
The solution for the error is to add this line at the top of the code:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
Upvotes: 15
Reputation: 32920
You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.
To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.
Have a look at this link about installing self-signed certificates.
Upvotes: 37
Related Questions
- Verify a certificate chain using openssl verify
- openssl: No certificate matches private key / chained certificate
- Invalid CA certificate with self signed certificate chain
- Unable To Trust Self-Signed SSL Certificate
- Error while creating self-signed SSL certificate
- Verifying my self-signed certificate with openSSL
- OpenSSL error: unable to verify the first certificate
- How to verify certificate chain with openssl
- OpenSSL certificate error
- SSL Certificate verification fails: Using OpenSSL