You may end up with SSL certificate issue: self-signed certificate in certificate chain in
multiple cases, but with my experience, these are the most common scenarios (Click on individual scenarios for more details)
– Scenario
- 1 – Git Clone – Unable to clone remote repository
- chain Scenario 2 – Vagrant Up – SSL certificate issue: Self-signed certificate in certificate chain Scenario
- 3 – Node.js – npm ERR!
- pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
- 5 – PHP – SSL certificate: Unable to obtain local issuer certificate Scenario
- 6 – POSTMAN – Postman error: Self-signed certificate in certificate chain | Unable to get
: SSL certificate issue: Self-signed certificate in certificate
Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN Scenario 4 – pip install –
Scenario
local issuer certificate error
Scenario 1: Git clone – SSL certificate issue: Self-signed
certificate in certificate chain
It’s one of the most common scenarios where you sit behind the
corporate firewall.
All traffic is intercepted by the corporate firewall and replaces the certificate and then adds its own self-signed certificate.
The self-signed certificate is not recognized by anyone other than you or your organization and what causes the SSL certificate issue: Self-signed
certificate in the certificate chain
Workaround: (Not recommended)
Disable Git SSL verification
while cloning
the repository
If you are the owner of the Git repository, you can globally disable SSL verification
. Solution: Configure Git
to trust the self-signed certificate
To more accurately fix the issue “SSL certificate issue:
self-signed certificate in certificate chain”, we need – Get the self-signed certificate Put/save in – **~/git-certs
- /cert.pem
- trust this certificate using the **http.sslCAInfo** parameter
** Set **git** to
Suppose the git server URL is github.com and to get
The self-signed certificate
needs to be accessed through port 443. openssl: To obtain a self-signed certificate (if you do not have openssl installed, skip this section and proceed to next) The openssl command above will generate a self-signed certificate as shown below You must store the previous self-signed certificate chain in the cert.pem
file You now have the self-signed certificate
using
openssl
(For openssl installation, see – https://www.openssl.org/
)
Firefox : To get a
self-signed certificate If you
don’t have openssl, you can use your browser to (I would recommend using firefox)
to download the self-signed certificate. Open URL in the
- browser (In our case we are using htts://github.com)
- Click the padlock near the URL bar
- After that, click the arrow near Connection Secure
- Now you should click on the
- After that, a new window will open, then you need to click View
certificate
- It will redirect you to the page
- Scroll down and search for PEM Download
(cert)PEM (string)
. You now
- have your cert.pem file
Configure git
to trust This
certificate
Alternatively, you can use the entire -system system instead
of -global
You can now clone the git repository without any “SSL certificate issue”
Scenario 2: Vagabond – SSL certificate issue: Self-signed certificate in the certificate
chain If you’re sitting behind the corporate firewall, there’s a good chance that your inbound and outbound traffic is being monitored and disrupted.
Because of that, your company could generate a self-signed certificate and eventually result in “SSL certificate issue: self-signed certificate in certificate chain”
Workaround: (Not recommended, but you should add the self-signed certificate to the trust store. Continue reading more about how to trust self-signed certificate on different operating systems)
Go to your Vagrantfile and add box_download_insecure=true
Here is complete Vagrantfile, creates two virtual machines: a master node and a worker node
Once you add box_download_insecure=true in your vagrantfile file, you should be able to start your virtual machines successfully.
OS X trust
self-signed
SSL certificates You must first download the self-signed certificate. To download the self-signed certificate – How to download the self-signed certificate?
After downloading the self-signed certificate, you need to
add it to Keychain
Access First you need to
- locate where you have downloaded the self-signed certificate file .i.e.-
- Now you need to open Keychain Access on your OS X
- drag the self-named certificate cert.pem to Keychain Access. You need
- Now double-click on the certificate (cert.pem), go to the trust section and under “When using this certificate”, select “Always trust”
- Great now that you’ve added the self-created certificate to your OS X truststore.
cert.pem
You must
to go to the certificates section and locate the certificate you just added
After you have completed the 6 steps to add a self-signed certificate to the OS X truststore. Run the vagrant up command
Get Windows 10 to trust
self-signed SSL certificates
You must first download the self-signed certificate. To download the self-signed certificate – How to download the self-signed certificate?
After
downloading the self-signed certificate
, you need to follow the steps:
- click the Windows key and start typing certmgr.msc
- Then you need to click on certmgr.msc, the certmgr window will open
- After that, you should look carefully in the left navigation panel “Certificates – Current User”
- Navigate the tree and search “Trusted Root Certificate Authority:
- All Tasks -> Import
- Welcome to the Certificate Import Wizard” opens
- Browser the cert.pem you downloaded earlier and then click
- Next
- After that, you should mention the Certificate Store by default that should have “Trusted Root Certificate Authorities“, then you should
- , you should click “Finish”.
- Great now that you have imported the self-signed certificate into your Windows 10 trust store
> Certificates” Right click on Certificates ->
“
Click Next
click next After that
After running the
11 steps mentioned above, you can now run the vagrant up command
Get Ubuntu, Debian, and CentOS to trust
self-signed
SSL certificates You need to download the self-signed certificate first. To download the self-signed certificate – How to download the self-signed certificate?
Ubuntu and Debian
CentOS
In terms of CentOS is a little different
Scenario 3: npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
One of the easiest ways to fix the problem is to disable or set to false strict-ssl
Note: Do not set strict-ssl false in production, it is always recommended to disable strict-ssl in the development environment when necessary.
The other problem could be that your npm is running on an older version
So try updating the npm using the following command
After that, tell your current version of npm to use known registrars
Scenario 4: pip installation connection failure:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed
You
are trying to install Python and somewhere during the installation you noticed this problem.
The root cause of the problem is “certificate validation” “. With the latest version of python, it’s getting stricter and your local machine can’t trust the host.
In simple words, we must tell our system to trust certificates that are associated with pypi.org, files.pythonhosted.org, etc.
Resolution
This command will allow you to trust the .i.e. host pypi.org and files.pythonhosted.org
Correction in the configuration file
(recommended)
There is one more way to work around this problem by adding the hosts to the .i.e. pip.ini or pip.conf configuration files depending on your operating system. Unix – In the Unix operating system
you can locate the file
in $HOME/.config/pip/pip.conf macOS – For
mac users, the location should be $HOME/Library/Application Support/pip/
pip.conf
Windows – For the user the window is located at %APPDATA%
pippip.ini
Add the following global entry in pip.ini or pip.conf
* Note: read more here about how to fix Python SSL pip installation connection error CERTIFICATE_VERIFY_FAILED
Scenario 5: PHP – SSL certificate issue: Unable to obtain
certificate
from local issuer This could be one more scenario where you may have difficulty configuring the SSL certificate or certificate
package
I had this problem on my XAMPP server, so these are the steps I followed to fix the SSL certificate issue
-
Download the certificate package from curl.haxx
-
After downloading it, put your cacert-xxxx-xx-xx.pem file somewhere in the directory. In my case I kept the file in /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
-
Locate your php.ini file. If in case you are not sure how to find
php.ini use the command
This command should return it
with the location of php.ini In the
- php file.ini locate the openssl.cafile line and then update its value with /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
- After the upgrade, save the file and stop
the service
- Start the service again
- Following the steps above, should fix your
SSL certificate issue
Scenario 6: Postman Error: Self-Signed Certificate in Certificate Chain | Unable to get local issuer certificate error
I use the POSTMAN to test REST web services,
but as a general rule, REST web services are always secured with https. But
POSTMAN is the
third-party application that we usually use for testing purposes, so it is advisable to disable SSL certification verification
Goto ->
Hopefully it resolves your self-signed certificate to the certificate chain | Unable to get local issuer certificate issue
Note: –
Do not run your web service in production without https
Learn more about kubernetes – 14
steps to install kubernetes on Ubuntu 18.04 and 16.04
Scenario 7: Using GIT_SSL_CAINFO to accept certificates permanently
Git provides an environment variable GIT_SSL_CATINFO , this environment variable can be used to point to a specific certificate that you downloaded manually. Here is an example of setting the GIT_SSL_CAINFO environment variable for the my_custom_downloaded_certificate.pem
certificate
– Once you have added the GIT_SSL_CAINFO environment variable, you can clone the git repository without any self-signed certificate error. Because you have added the certificate permanently to the environment variable, which ultimately makes you trust that particular git repository.
Advantages of accepting the self-signed certificate
permanently
- You can avoid the man-in-the-middle attack because you are using a secure connection backed by a self-signed certificate
- You don’t have to use less secure options like – http.sslVerify=fals or GIT_SSL_NO_VERIFY=true
.
Note- Read more about how to fix terraform x509 certificate signed by unknown authority?