6 Ways to fix : SSL certificate problem: self signed certificate in certificate chain
You can end with SSL certificate problem: self signed certificate in certificate chain in multiple cases but with my experience these are the most common scenario (Click on individual scenarios for more details) -
- Scenario 1 - Git Clone - Unable to clone remote repository: SSL certificate problem: self signed certificate in certificate chain
- Scenario 2 - Vagrant Up - SSL certificate problem: self signed certificate in certificate chain
- Scenario 3 - Node.js - npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
- Scenario 4 - pip install - pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
- Scenario 5 - PHP - SSL certificate: unable to get local issuer certificate
- Scenario 6 - POSTMAN - Postman error: self signed certificate in certificate chain | Unable to get local issuer certificate error
Scenario 1 : Git clone - SSL certificate problem: self signed certificate in certificate chain
It is one of the most common scenario where you sitting behind corporate firewall.
All the traffic is intercepted by corporate firewall and it replaces the certificate and then adds their own self signed certificate.
The self signed certificate is not recognized by anyone apart from you or your organization and which causes the SSL certificate problem: self signed certificate in certificate chain
Workaround - (It is not recommended)
Disable Git SSL verification while cloning the repository
1git clone -c http.sslVerify=false clone https://example.com/path/to/git
If you are the owner of the Git Repo then you can globally disable the ssl verification
1git config --global http.sslVerify false
Resolution - Configure Git to trust self signed certificate
To make more accurate fix to the problem "SSL certificate problem: self signed certificate in certificate chain" we need to -
- Get the self signed certificate
- Put/save it into -
**~/git-certs/cert.pem**
- Set
**git**
to trust this certificate using**http.sslCAInfo**
parameter
Let assume the git server URL is github.com and to get the self signed certificate we need to have access over port 443.
openssl : To get self signed certificate (if you do not have openssl installed then skip this section and move to next)
1$ openssl s_client -connect github.com:443
The above openssl command will output a self singed certificate as below
1-----BEGIN CERTIFICATE-----
2MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
3MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
4d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
5IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
6MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
7BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
8Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
9A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
10VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
11xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
12w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
13/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
14sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
15xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
16fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
17re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
18A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
19AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
20oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
21LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
22dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
23FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
24BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
25BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
26U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
27MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
28BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
29Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
30U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
31AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
32vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
33CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
348EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
35eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
36ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
37HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
38Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
39myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
40WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
41-----END CERTIFICATE-----
You need to store the above self signed certificate string into cert.pem file
Now you got the self signed certificate using openssl
(For openssl installation please refer - https://www.openssl.org/)
Refer to this article on How to set SSH key permanently for working with Git Repository?
Firefox : To get self signed certificate
If you do not have openssl then you can use your browser to (i would recommend using firefox) to download the self signed certificate.
- Open URL in browser (In our case we are using htts://github.com)
- Click on the lock near the URL bar
- After that click on the arrow near Connection Secure
- Now you need to click on the
- After that a new window will open, then you need to click on View Certificate
- It will redirect you to the certificate configuration page
- Scroll down and look for Download PEM (cert)PEM (chain)
- Now you have your cert.pem file
Configure git to trust this certificate
1$ git config --global http.sslCAInfo /home/jhooq/git-certs/cert.pem
Alternatively you can use system wide --system
instead of --global
Now you can clone the git repo without any "SSL certificate problem"
Scenario 2 : vagrant up - SSL certificate problem: self signed certificate in certificate chain
If you are sitting behind the corporate firewall then, there is very much possibility that your incoming and outbound traffic is being monitored and interrupted.
Due to that your corporate might generate a self signed certificate and which eventually results in "SSL certificate problem: self signed certificate in certificate chain"
1$ vagrant up
2Bringing machine 'master' up with 'virtualbox' provider...
3Bringing machine 'worker' up with 'virtualbox' provider...
4==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
5 master: Box Provider: virtualbox
6 master: Box Version: >= 0
7==> master: Loading metadata for box 'hashicorp/bionic64'
8 master: URL: https://vagrantcloud.com/hashicorp/bionic64
9==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
10 master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
11An error occurred while downloading the remote file. The error
12message, if any, is reproduced below. Please fix this error and try
13again.
14
15SSL certificate problem: self signed certificate in certificate chain
Workaround - (It is not recommended but instead you should add the self signed certificate to trust-store. Please continue reading further on how to trust self-signed certificate on different OS)
Goto your Vagrantfile and add box_download_insecure = true
1master.vm.box_download_insecure = true
Here is complete Vagrantfile, it creates two VMs - One master node and One worker node
1Vagrant.configure("2") do |config|
2 config.vm.define "master" do |master|
3 master.vm.box_download_insecure = true
4 master.vm.box = "hashicorp/bionic64"
5 master.vm.network "private_network", ip: "100.0.0.1"
6 master.vm.hostname = "master"
7 master.vm.provider "virtualbox" do |v|
8 v.name = "master"
9 v.memory = 2048
10 v.cpus = 2
11 end
12 end
13
14 config.vm.define "worker" do |worker|
15 worker.vm.box_download_insecure = true
16 worker.vm.box = "hashicorp/bionic64"
17 worker.vm.network "private_network", ip: "100.0.0.2"
18 worker.vm.hostname = "worker"
19 worker.vm.provider "virtualbox" do |v|
20 v.name = "worker"
21 v.memory = 1024
22 v.cpus = 1
23 end
24 end
25
26end
Once you add box_download_insecure = true into your vagrantfile then you should be able to start your VMs successfully
Getting OS X to trust self-signed ssl certificates
First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?
After you have download the self signed certificate you need to add it to Keychain Access
- First you need to locate where you have downloaded the self signed certificate file .i.e.-
cert.pem
- Now you need to open the Keychain Access on you OS X
- You need to drag the self singed certificate
cert.pem
into the Keychain Access. - You should goto certificates section and locate the certificate you just added
- Now double click on the certificate(
cert.pem
) , goto the trust section and under “When using this certificate” select “Always Trust” - Great now you have added the self singed certificate into your OS X trust store.
After you have completed all the 6 steps for adding self-signed certificate into OS X trust store. Run the vagrant up command
1$ vagrant up
1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2 master: Box Provider: virtualbox
3 master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5 master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7 master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8 master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!
Getting Windows 10 to trust self-signed ssl certificates
First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?
After you have download the self signed certificate you need to follow steps -
- Click on windows key and start typing certmgr.msc
- Then you need to click on certmgr.msc, it will open certmgr window
- After that you should look carefully on the left navigation panel "Certificates - Current User"
- Navigate down the tree and look for "Trusted Root Certification Authority -> Certificates"
- Right click on Certificates -> All Tasks -> Import
- It will open "Welcome to the Certificate Import Wizard"
- Click Next
- Browser the cert.pem which you have downloaded previously then click Next
- After that you need to mention the Certificate Store by default it should have "Trusted Root Certification Authorities", then you should click next
- After that you need to click "Finish".
- Great now you have imported the self signed certificate into your Windows 10 trust store
After running above mentioned 11 Steps, now you can run the vagrant up command
1$vagrant up
1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2 master: Box Provider: virtualbox
3 master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5 master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7 master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8 master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!
Getting Ubuntu, Debian and CentOS to trust self-signed ssl certificates
First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?
Ubuntu and Debian
1$ apk add ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/local/share/ca-certificates/
3$ update-ca-certificates --verbose
4Updating certificates in /etc/ssl/certs...
5Doing .
61 added, 0 removed; done.
7Running hooks in /etc/ca-certificates/update.d...
8done.
CentOS
In terms of CentOS it is little different
1$ yum install -y ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/share/pki/ca-trust-source/anchors/
3$ update-ca-trust force-enable
4$ update-ca-trust extract
Scenario 3 : npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
One the easiest way to fix the issue is to disable or set to false strict-ssl
1$ npm config set strict-ssl false
Note - Do not set strict-ssl false in production, it always recommend disable the strict-ssl in development environment when its necessary.
The other problem could be your npm is running on old version
So try to upgrade the npm using the following command
1npm install npm -g --ca=""
After that tell your current version of npm to use know registrars
1npm config set ca=""
Scenario 4 : pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
You are trying to install python and somewhere during the installation you noticed this issue.
The root cause of the issue is "certificate validation". With the latest release of the python, it is getting more stricter and you local machine is not able to trust the host.
In simple words we need to tell our system to trust the certificates which are associated with pypi.org, files.pythonhosted.org etc.
Resolution
This command will let you trust the host .i.e. pypi.org and files.pythonhosted.org
1$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org setuptools
Fixing in the Config file (Recommended)
There is one more way to fix this issue by adding the hosts to config files .i.e. pip.ini or pip.conf based on the operating system you are having.
Unix - In Unix operating system you can locate the file at $HOME/.config/pip/pip.conf
macOS - For mac user the location should be $HOME/Library/Application Support/pip/pip.conf
Windows - For window's user its located at %APPDATA%\pip\pip.ini
Add following global entry into the pip.ini or pip.conf
1global]
2trusted-host = pypi.python.org
3 pypi.org
4 files.pythonhosted.org
*Note - Read more here on fixing the - Python pip install connection error SSL CERTIFICATE_VERIFY_FAILED
Scenario 5 : PHP - SSL certificate problem: unable to get local issuer certificate
This could be one more scenario where you may struggle to set up SSL certificate or certificate bundle
I had this issue on my XAMPP server, so here are the steps which I followed for fixing the - SSL certificate problem
-
Download the certificate bundle from curl.haxx
-
After downloading put your file
cacert-xxxx-xx-xx.pem
file somewhere on directory. In my case I kept the file at/opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
-
Locate your php.ini file. If in case you are not sure how to find
php.ini
then use the command
1find / -name 'php.ini' 2>/dev/null
This command should return you back with location of php.ini
- In the
php.ini
file look for the lineopenssl.cafile
and then update its value with/opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
1openssl.cafile=/opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
- After the update save the file and stop the service
1sudo /opt/lampp/lampp stop
- Start the service again
1sudo /opt/lampp/lampp start
- Following the above steps, it should fix your issue of
SSL certificate problem
Scenario 6 : Postman error: self signed certificate in certificate chain | Unable to get local issuer certificate error
I do use the POSTMAN for testing the REST webservices but as golden rule of thumb REST webservices are always
secured with https
.
But POSTMAN being the third party application which we generally use for testing purposes, so it is advisable to turn off the SSL certification verification
Goto -> Settings
Hopefully it should solve your self signed certificate in certificate chain | Unable to get local issuer
certificate issue
Note: - Do not run your webservice in production without https
Learn more about kubernetes - 14 Steps to Install kubernetes on Ubuntu 18.04 and 16.04
Scenario 7 : Using GIT_SSL_CAINFO to accept certificate permanently
Git provides a environment variable GIT_SSL_CATINFO, this environment variable can be used for pointing to specific certificate which you have downloaded manually. Here is a example of setting environment variable GIT_SSL_CAINFO for the certificate my_custom_downloaded_certificate.pem-
1exprot GIT_SSL_CAINFO=/etc/ssl/certs/my_custom_downloaded_certificate.pem
Once you have added environment variable GIT_SSL_CAINFO, you can clone the git repo without any self signed certificate error. Because you have added the certificate permanently to the environment variable which ultimately makes you trust that particular git repository.
Advantages of accepting self signed certificate permanently
- You can avoid the man-in-the-middle attack because you are using Secured connection backed by self signed certificate.
- You do not have to use less secure options such as - http.sslVerify=fals or GIT_SSL_NO_VERIFY=true
Note- Read more on how to fix terraform x509 certificate signed by unknown authority?