3 Ways to fix : SSL certificate problem: self signed certificate in certificate chain

Share on:

You can end with SSL certificate problem: self signed certificate in certificate chain" in multiple cases but with my experience these are the most common scenario (Click on individual scenarios for more details) -


Scenario 1 : Git clone - SSL certificate problem: self signed certificate in certificate chain

It is one of the most common scenario where you sitting behind corporate firewall.

All the traffic is intercepted by corporate firewall and it replaces the certificate and then adds their own self signed certificate.

The self signed certificate is not recognized by anyone apart from you or your organization and which causes the SSL certificate problem: self signed certificate in certificate chain


Disable Git SSL verification while cloning the repository

1git -c http.sslVerify=false clone https://example.com/path/to/git

If you are the owner of the Git Repo then you can globally disable the ssl verification

1git config --global http.sslVerify false

Resolution - Configure Git to trust self signed certificate

To make more accurate fix to the problem “SSL certificate problem: self signed certificate in certificate chain” we need to -

  1. Get the self signed certificate
  2. Put/save it into - **~/git-certs/cert.pem**
  3. Set **git** to trust this certificate using **http.sslCAInfo** parameter

Let assume the git server URL is github.com and to get the self signed certificate we need to have access over port 443.


openssl : To get self signed certificate (if you do not have openssl installed then skip this section and move to next)

1$ openssl s_client -connect github.com:443

The above openssl command will output a self singed certificate as below

 1-----BEGIN CERTIFICATE-----
 2MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
 3MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 4d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
 5IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
 6MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
 7BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
 8Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
 9A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
10VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
11xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
12w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
13/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
14sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
15xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
16fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
17re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
18A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
19AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
20oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
21LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
22dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
23FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
24BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
25BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
26U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
27MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
28BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
29Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
30U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
31AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
32vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
33CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
348EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
35eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
36ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
37HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
38Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
39myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
40WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
41-----END CERTIFICATE-----

You need to store the above self signed certificate string into cert.pem file

Now you got the self signed certificate using openssl

(For openssl installation please refer - https://www.openssl.org/)


Firefox : To get self signed certificate

If you do not have openssl then you can use your browser to (i would recommend using firefox) to download the self signed certificate.

  • Open URL in browser (In our case we are using htts://github.com)
  • Click on the lock near the URL bar

  • After that click on the arrow near Connection Secure

  • Now you need to click on the

  • After that a new window will open, then you need to click on View Certificate

  • It will redirect you to the certificate configuration page

  • Scroll down and look for Download PEM (cert)PEM (chain)

  • Now you have your cert.pem file

Configure git to trust this certificate

1$ git config --global http.sslCAInfo /home/jhooq/git-certs/cert.pem

Alternatively you can use system wide --system instead of --global

Now you can clone the git repo without any “SSL certificate problem”


Scenario 2 : vagrant up - SSL certificate problem: self signed certificate in certificate chain

If you are sitting behind the corporate firewall then, there is very much possibility that your incoming and outbound traffic is being monitored and interrupted.

Due that your corporate might generate a self signed certificate and which eventually results in “SSL certificate problem: self signed certificate in certificate chain”

 1$ vagrant up
 2Bringing machine 'master' up with 'virtualbox' provider...
 3Bringing machine 'worker' up with 'virtualbox' provider...
 4==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
 5    master: Box Provider: virtualbox
 6    master: Box Version: >= 0
 7==> master: Loading metadata for box 'hashicorp/bionic64'
 8    master: URL: https://vagrantcloud.com/hashicorp/bionic64
 9==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
10    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
11An error occurred while downloading the remote file. The error
12message, if any, is reproduced below. Please fix this error and try
13again.
14
15SSL certificate problem: self signed certificate in certificate chain

Goto your Vagrantfile and add box_download_insecure = true

1master.vm.box_download_insecure = true 

Here is complete Vagrantfile, it creates two VMs - One master node and One worker node

 1Vagrant.configure("2") do |config|
 2  config.vm.define "master" do |master|
 3    master.vm.box_download_insecure = true    
 4    master.vm.box = "hashicorp/bionic64"
 5    master.vm.network "private_network", ip: "100.0.0.1"
 6    master.vm.hostname = "master"
 7    master.vm.provider "virtualbox" do |v|
 8      v.name = "master"
 9      v.memory = 2048
10      v.cpus = 2
11    end
12  end
13
14  config.vm.define "worker" do |worker|
15    worker.vm.box_download_insecure = true 
16    worker.vm.box = "hashicorp/bionic64"
17    worker.vm.network "private_network", ip: "100.0.0.2"
18    worker.vm.hostname = "worker"
19    worker.vm.provider "virtualbox" do |v|
20      v.name = "worker"
21      v.memory = 1024
22      v.cpus = 1
23    end
24  end
25
26end

Once you add box_download_insecure = true into your vagrantfile then you should be able to start your VMs successfully


Getting OS X to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?

After you have download the self signed certificate you need to add it to Keychain Access

  1. First you need to locate where you have downloaded the self signed certificate file .i.e.- cert.pem
  2. Now you need to open the Keychain Access on you OS X
  3. You need to drag the self singed certificate cert.pem into the Keychain Access.
  4. You should goto certificates section and locate the certificate you just added
  5. Now double click on the certificate(cert.pem) , goto the trust section and under “When using this certificate” select “Always Trust”
  6. Great now you have added the self singed certificate into your OS X trust store.

After you have completed all the 6 steps for adding self-signed certificate into OS X trust store. Run the vagrant up command

1$ vagrant up
1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2    master: Box Provider: virtualbox
3    master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5    master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8    master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!

Getting Windows 10 to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?

After you have download the self signed certificate you need to follow steps -

  1. Click on windows key and start typing certmgr.msc
  2. Then you need to click on certmgr.msc, it will open certmgr window
  3. After that you should look carefully on the left navigation panel “Certificates - Current User”
  4. Navigate down the tree and look for “Trusted Root Certification Authority -> Certificates”
  5. Right click on Certificates -> All Tasks -> Import
  6. It will open “Welcome to the Certificate Import Wizard”
  7. Click Next
  8. Browser the cert.pem which you have downloaded previously then click Next
  9. After that you need to mention the Certificate Store by default it should have “Trusted Root Certification Authorities”, then you should click next
  10. After that you need to click “Finish”.
  11. Great now you have imported the self signed certificate into your Windows 10 trust store

After running above mentioned 11 Steps, now you can run the vagrant up command

1$vagrant up
1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2    master: Box Provider: virtualbox
3    master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5    master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8    master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!

Getting Ubuntu, Debian and CentOS to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?


Ubuntu and Debian

1$ apk add ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/local/share/ca-certificates/
3$ update-ca-certificates --verbose
4Updating certificates in /etc/ssl/certs...
5Doing .
61 added, 0 removed; done.
7Running hooks in /etc/ca-certificates/update.d...
8done.

CentOS

In terms of CentOS it is little different

1$ yum install -y ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/share/pki/ca-trust-source/anchors/
3$ update-ca-trust force-enable
4$ update-ca-trust extract

Scenario 3 : npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN

One the easiest way to fix the issue is to disable or set to false strict-ssl

1$ npm config set strict-ssl false

Note - Do not set strict-ssl false in production, it always recommend disable the strict-ssl in development environment when its necessary.

The other problem could be your npm is running on old version

So try to upgrade the npm using the following command

1npm install npm -g --ca=""

After that tell your current version of npm to use know registrars

1npm config set ca=""

Scenario 4 : pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

You are trying to install python and somewhere during the installation you noticed this issue.

The root cause of the issue is “certificate validation”. With the latest release of the python, it is getting more stricter and you local machine is not able to trust the host.

In simple words we need to tell our system to trust the certificates which are associated with pypi.org, files.pythonhosted.org etc.


Resolution

This command will let you trust the host .i.e. pypi.org and files.pythonhosted.org

1$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org setuptools

There is one more way to fix this issue by adding the hosts to config files .i.e. pip.ini or pip.conf based on the operating system you are having.

Unix - In Unix operating system you can locate the file at $HOME/.config/pip/pip.conf

macOS - For mac user the location should be $HOME/Library/Application Support/pip/pip.conf

Windows - For window’s user its located at %APPDATA%\pip\pip.ini

Add following global entry into the pip.ini or pip.conf

1global]
2trusted-host = pypi.python.org
3               pypi.org
4               files.pythonhosted.org

Learn more about kubernetes - 14 Steps to Install kubernetes on Ubuntu 18.04 and 16.04