Openssl : error "self signed certificate in certificate chain"

Question

When I used openssl APIs to validate server certificate (self signed), I got following error :

error 19 at 1 depth lookup:self signed certificate in certificate chain

As per openssl documentation, this error (19) is

"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally."

Why this error occurs ? Any problems with my server certificate ?

score 32 · Accepted Answer · answered Aug 29 '12 at 14:52

You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.

To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.

Have a look at this link about installing self-signed certificates.

Vadzim · Answer 2 · 2021-05-06T21:21:27.347

26

Here is one-liner to verify certificate to be signed by specific CA:

openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem

This doesn't require to install CA anywhere.

See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.

edited May 06 '21 at 21:21

answered Sep 15 '15 at 06:34

Vadzim

24,954
11
143
151

score 5 · Answer 3 · edited Mar 18 '19 at 12:35

5

The solution for the error is to add this line at the top of the code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

edited Mar 18 '19 at 12:35

Serg

2,346
3
29
38

answered Mar 18 '19 at 11:36

lalithsagar

141
1
2

11

i would consider this a work around or an option for testing. it should not be persistant because it undermines the available security. – Alexander Stohr Apr 17 '19 at 07:34
4

This seems to be specific to Node.js, if I'm not mistaken. – sshow Nov 18 '19 at 18:02
2

It *is* NodeJS-specific and just disables all certificate checks. You could do this but only if you really know what you're doing. Just putting this in here as an answer is bad because whoever is using this doesn't get any information on what they're doing. – Sebastian Mar 17 '21 at 09:19
1

This is not a solution. -10 – spryce Nov 04 '21 at 23:46
1

I am fine using this for development. DevOps can deal with certs on production however they want. – Qwerty Oct 25 '22 at 10:08

score 5 · Answer 4 · answered Nov 22 '19 at 09:22

5

If you're running Charles and trying to build a docker container then you'll most likely get this error.

Make sure to disable Charles (macos) proxy under proxy -> macOS proxy

Charles is an

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

So anything similar may cause the same issue.

answered Nov 22 '19 at 09:22

kemicofa ghost

16,349
8
82
131

1

worked for me even though I didn't have Charles open at the time I hit the error. – BooRanger Aug 12 '20 at 12:21
Thanks. I am using TLS connections with Postgres, Charles was causing them to fail. – zino Nov 28 '21 at 20:37

score 0 · Answer 5 · answered Nov 25 '22 at 10:56

0

if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"

answered Nov 25 '22 at 10:56

Justice Selorm Bruce

220
4
8

score -1 · Answer 6 · answered Mar 16 '23 at 14:32

-1

You can also skip the SSL verification globally using the command:

git config --global http.sslVerify false

answered Mar 16 '23 at 14:32

Jordan Ferr

191
2
11

Openssl : error "self signed certificate in certificate chain"

6 Answers6

Linked