6 Ways to fix : SSL certificate problem: self signed certificate in certificate chain

You can end with SSL certificate problem: self signed certificate in certificate chain in multiple cases but with my experience these are the most common scenario (Click on individual scenarios for more details) -

• Scenario 1 - Git Clone - Unable to clone remote repository: SSL certificate problem: self signed certificate in certificate chain
• Scenario 2 - Vagrant Up - SSL certificate problem: self signed certificate in certificate chain
• Scenario 3 - Node.js - npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
• Scenario 4 - pip install - pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
• Scenario 5 - PHP - SSL certificate: unable to get local issuer certificate
• Scenario 6 - POSTMAN - Postman error: self signed certificate in certificate chain | Unable to get local issuer certificate error

Scenario 1 : Git clone - SSL certificate problem: self signed certificate in certificate chain

It is one of the most common scenario where you sitting behind corporate firewall.

All the traffic is intercepted by corporate firewall and it replaces the certificate and then adds their own self signed certificate.

The self signed certificate is not recognized by anyone apart from you or your organization and which causes the SSL certificate problem: self signed certificate in certificate chain

Workaround - (It is not recommended)

Disable Git SSL verification while cloning the repository

1git clone -c http.sslVerify=false clone https://example.com/path/to/git

If you are the owner of the Git Repo then you can globally disable the ssl verification

1git config --global http.sslVerify false

Resolution - Configure Git to trust self signed certificate

To make more accurate fix to the problem "SSL certificate problem: self signed certificate in certificate chain" we need to -

1. Get the self signed certificate
2. Put/save it into - **~/git-certs/cert.pem**
3. Set **git** to trust this certificate using **http.sslCAInfo** parameter

Let assume the git server URL is github.com and to get the self signed certificate we need to have access over port 443.

openssl : To get self signed certificate (if you do not have openssl installed then skip this section and move to next)

1$ openssl s_client -connect github.com:443

The above openssl command will output a self singed certificate as below

 1-----BEGIN CERTIFICATE-----
 2MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
 3MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 4d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
 5IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
 6MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
 7BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
 8Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
 9A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
10VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
11xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
12w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
13/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
14sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
15xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
16fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
17re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
18A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
19AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
20oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
21LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
22dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
23FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
24BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
25BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
26U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
27MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
28BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
29Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
30U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
31AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
32vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
33CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
348EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
35eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
36ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
37HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
38Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
39myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
40WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
41-----END CERTIFICATE-----

You need to store the above self signed certificate string into cert.pem file

Now you got the self signed certificate using openssl

(For openssl installation please refer - https://www.openssl.org/)

Refer to this article on How to set SSH key permanently for working with Git Repository?

Firefox : To get self signed certificate

If you do not have openssl then you can use your browser to (i would recommend using firefox) to download the self signed certificate.

• Open URL in browser (In our case we are using htts://github.com)
• Click on the lock near the URL bar

• After that click on the arrow near Connection Secure

• Now you need to click on the

• After that a new window will open, then you need to click on View Certificate

• It will redirect you to the certificate configuration page

• Scroll down and look for Download PEM (cert)PEM (chain)

• Now you have your cert.pem file

Configure git to trust this certificate

1$ git config --global http.sslCAInfo /home/jhooq/git-certs/cert.pem

Alternatively you can use system wide --system instead of --global

Now you can clone the git repo without any "SSL certificate problem"

Scenario 2 : vagrant up - SSL certificate problem: self signed certificate in certificate chain

If you are sitting behind the corporate firewall then, there is very much possibility that your incoming and outbound traffic is being monitored and interrupted.

Due to that your corporate might generate a self signed certificate and which eventually results in "SSL certificate problem: self signed certificate in certificate chain"

 1$ vagrant up
 2Bringing machine 'master' up with 'virtualbox' provider...
 3Bringing machine 'worker' up with 'virtualbox' provider...
 4==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
 5    master: Box Provider: virtualbox
 6    master: Box Version: >= 0
 7==> master: Loading metadata for box 'hashicorp/bionic64'
 8    master: URL: https://vagrantcloud.com/hashicorp/bionic64
 9==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
10    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
11An error occurred while downloading the remote file. The error
12message, if any, is reproduced below. Please fix this error and try
13again.
14
15SSL certificate problem: self signed certificate in certificate chain

Workaround - (It is not recommended but instead you should add the self signed certificate to trust-store. Please continue reading further on how to trust self-signed certificate on different OS)

Goto your Vagrantfile and add box_download_insecure = true

1master.vm.box_download_insecure = true 

Here is complete Vagrantfile, it creates two VMs - One master node and One worker node

 1Vagrant.configure("2") do |config|
 2  config.vm.define "master" do |master|
 3    master.vm.box_download_insecure = true    
 4    master.vm.box = "hashicorp/bionic64"
 5    master.vm.network "private_network", ip: "100.0.0.1"
 6    master.vm.hostname = "master"
 7    master.vm.provider "virtualbox" do |v|
 8      v.name = "master"
 9      v.memory = 2048
10      v.cpus = 2
11    end
12  end
13
14  config.vm.define "worker" do |worker|
15    worker.vm.box_download_insecure = true 
16    worker.vm.box = "hashicorp/bionic64"
17    worker.vm.network "private_network", ip: "100.0.0.2"
18    worker.vm.hostname = "worker"
19    worker.vm.provider "virtualbox" do |v|
20      v.name = "worker"
21      v.memory = 1024
22      v.cpus = 1
23    end
24  end
25
26end

Once you add box_download_insecure = true into your vagrantfile then you should be able to start your VMs successfully

Getting OS X to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?

After you have download the self signed certificate you need to add it to Keychain Access

1. First you need to locate where you have downloaded the self signed certificate file .i.e.- cert.pem
2. Now you need to open the Keychain Access on you OS X
3. You need to drag the self singed certificate cert.pem into the Keychain Access.
4. You should goto certificates section and locate the certificate you just added
5. Now double click on the certificate(cert.pem) , goto the trust section and under “When using this certificate” select “Always Trust”
6. Great now you have added the self singed certificate into your OS X trust store.

After you have completed all the 6 steps for adding self-signed certificate into OS X trust store. Run the vagrant up command

1$ vagrant up

1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2    master: Box Provider: virtualbox
3    master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5    master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8    master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!

Getting Windows 10 to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?

After you have download the self signed certificate you need to follow steps -

1. Click on windows key and start typing certmgr.msc
2. Then you need to click on certmgr.msc, it will open certmgr window
3. After that you should look carefully on the left navigation panel "Certificates - Current User"
4. Navigate down the tree and look for "Trusted Root Certification Authority -> Certificates"
5. Right click on Certificates -> All Tasks -> Import
6. It will open "Welcome to the Certificate Import Wizard"
7. Click Next
8. Browser the cert.pem which you have downloaded previously then click Next
9. After that you need to mention the Certificate Store by default it should have "Trusted Root Certification Authorities", then you should click next
10. After that you need to click "Finish".
11. Great now you have imported the self signed certificate into your Windows 10 trust store

After running above mentioned 11 Steps, now you can run the vagrant up command

1$vagrant up

1==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
2    master: Box Provider: virtualbox
3    master: Box Version: >= 0
4==> master: Loading metadata for box 'hashicorp/bionic64'
5    master: URL: https://vagrantcloud.com/hashicorp/bionic64
6==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
7    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
8    master: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
9==> master: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!

Getting Ubuntu, Debian and CentOS to trust self-signed ssl certificates

First you need to download the self signed certificate. For downloading the self signed certificate - How to Download Self Singed Certificate?

Ubuntu and Debian

1$ apk add ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/local/share/ca-certificates/
3$ update-ca-certificates --verbose
4Updating certificates in /etc/ssl/certs...
5Doing .
61 added, 0 removed; done.
7Running hooks in /etc/ca-certificates/update.d...
8done.

CentOS

In terms of CentOS it is little different

1$ yum install -y ca-certificates
2$ cp /home/rwagh/download/cert.pem /usr/share/pki/ca-trust-source/anchors/
3$ update-ca-trust force-enable
4$ update-ca-trust extract

Scenario 3 : npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN

One the easiest way to fix the issue is to disable or set to false strict-ssl

1$ npm config set strict-ssl false

Note - Do not set strict-ssl false in production, it always recommend disable the strict-ssl in development environment when its necessary.

The other problem could be your npm is running on old version

So try to upgrade the npm using the following command

1npm install npm -g --ca=""

After that tell your current version of npm to use know registrars

1npm config set ca=""

Scenario 4 : pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

You are trying to install python and somewhere during the installation you noticed this issue.

The root cause of the issue is "certificate validation". With the latest release of the python, it is getting more stricter and you local machine is not able to trust the host.

In simple words we need to tell our system to trust the certificates which are associated with pypi.org, files.pythonhosted.org etc.

Resolution

This command will let you trust the host .i.e. pypi.org and files.pythonhosted.org

1$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org setuptools

Fixing in the Config file (Recommended)

There is one more way to fix this issue by adding the hosts to config files .i.e. pip.ini or pip.conf based on the operating system you are having.

Unix - In Unix operating system you can locate the file at $HOME/.config/pip/pip.conf

macOS - For mac user the location should be $HOME/Library/Application Support/pip/pip.conf

Windows - For window's user its located at %APPDATA%\pip\pip.ini

Add following global entry into the pip.ini or pip.conf

1global]
2trusted-host = pypi.python.org
3               pypi.org
4               files.pythonhosted.org

*Note - Read more here on fixing the - Python pip install connection error SSL CERTIFICATE_VERIFY_FAILED

Scenario 5 : PHP - SSL certificate problem: unable to get local issuer certificate

This could be one more scenario where you may struggle to set up SSL certificate or certificate bundle

I had this issue on my XAMPP server, so here are the steps which I followed for fixing the - SSL certificate problem

1. Download the certificate bundle from curl.haxx

2. After downloading put your file cacert-xxxx-xx-xx.pem file somewhere on directory. In my case I kept the file at /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem

3. Locate your php.ini file. If in case you are not sure how to find php.ini then use the command

1find / -name 'php.ini' 2>/dev/null

This command should return you back with location of php.ini

4. In the php.ini file look for the line openssl.cafile and then update its value with /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem

1openssl.cafile=/opt/lampp/share/curl/cacert-xxxx-xx-xx.pem

5. After the update save the file and stop the service

1sudo /opt/lampp/lampp stop

6. Start the service again

1sudo /opt/lampp/lampp start

7. Following the above steps, it should fix your issue of SSL certificate problem

Scenario 6 : Postman error: self signed certificate in certificate chain | Unable to get local issuer certificate error

I do use the POSTMAN for testing the REST webservices but as golden rule of thumb REST webservices are always secured with https.

But POSTMAN being the third party application which we generally use for testing purposes, so it is advisable to turn off the SSL certification verification

Goto -> Settings

Hopefully it should solve your self signed certificate in certificate chain | Unable to get local issuer certificate issue

Note: - Do not run your webservice in production without https

Learn more about kubernetes - 14 Steps to Install kubernetes on Ubuntu 18.04 and 16.04

Scenario 7 : Using GIT_SSL_CAINFO to accept certificate permanently

Git provides a environment variable GIT_SSL_CATINFO, this environment variable can be used for pointing to specific certificate which you have downloaded manually. Here is a example of setting environment variable GIT_SSL_CAINFO for the certificate my_custom_downloaded_certificate.pem-

1exprot GIT_SSL_CAINFO=/etc/ssl/certs/my_custom_downloaded_certificate.pem 

Once you have added environment variable GIT_SSL_CAINFO, you can clone the git repo without any self signed certificate error. Because you have added the certificate permanently to the environment variable which ultimately makes you trust that particular git repository.

Advantages of accepting self signed certificate permanently

1. You can avoid the man-in-the-middle attack because you are using Secured connection backed by self signed certificate.
2. You do not have to use less secure options such as - http.sslVerify=fals or GIT_SSL_NO_VERIFY=true

Note- Read more on how to fix terraform x509 certificate signed by unknown authority?