Blogs

6 Ways to fix : SSL certificate problem: self signed certificate in

Posted on by admin

You may end up with SSL certificate issue: self-signed certificate in certificate chain in

multiple cases, but with my experience, these are the most common scenarios (Click on individual scenarios for more details)

– Scenario

  • 1 – Git Clone – Unable to clone remote repository

    • : SSL certificate issue: Self-signed certificate in certificate

  • chain Scenario 2 – Vagrant Up – SSL certificate issue: Self-signed certificate in certificate chain Scenario
  • 3 – Node.js – npm ERR!

    • Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN Scenario 4 – pip install –

  • pip install connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

    • Scenario

  • 5 – PHP – SSL certificate: Unable to obtain local issuer certificate Scenario
  • 6 – POSTMAN – Postman error: Self-signed certificate in certificate chain | Unable to get

local issuer certificate error

Scenario 1: Git clone – SSL certificate issue: Self-signed

certificate in certificate chain

It’s one of the most common scenarios where you sit behind the

corporate firewall.

All traffic is intercepted by the corporate firewall and replaces the certificate and then adds its own self-signed certificate.

The self-signed certificate is not recognized by anyone other than you or your organization and what causes the SSL certificate issue: Self-signed

certificate in the certificate chain

Workaround: (Not recommended)

Disable Git SSL verification

while cloning

the repository

If you are the owner of the Git repository, you can globally disable SSL verification

. Solution: Configure Git

to trust the self-signed certificate To more accurately fix the issue “SSL certificate issue: self-signed certificate in

certificate chain” we need – Get the self-signed

certificate Put/save in – **~/git-certs

  1. /cert.pem

    2. ** Set **git** to

  2. trust this certificate using the **http.sslCAInfo** parameter

    3. Suppose the git server URL is github.com and to get

The self-signed certificate

needs to be accessed through port 443. openssl: To obtain a self-signed certificate (if you do not have openssl installed, skip this section and proceed to next) The openssl command above will generate a self-signed certificate as shown below You must store the previous self-signed certificate chain in the cert.pem

file You now have the self-signed certificate

using

openssl

(For openssl installation, see – https://www.openssl.org/

)

Firefox : To get a

self-signed certificate If you

don’t have openssl, you can use your browser to (I would recommend using firefox)

to download the self-signed certificate. Open URL in the

  • browser (In our case we are using htts://github.com)
  • Click the padlock near the URL bar
SSL certificate issue
self-signed certificate in certificate chain.
  • After that, click the arrow near Connection Secure
SSL certificate problem self signed certificate in certificate chain.
  • Now you need to click on the
SSL certificate issue self-signed certificate in certificate chain.
  • After that, a new window will open, then you need to click View

certificate

SSL certificate issue
self-signed certificate in certificate chain.
  • It will redirect you to the page
certificate configuration SSL certificate issue
self-signed certificate in certificate chain.
  • Scroll down and search for Download

PEM (cert)PEM (string)

SSL certificate issue
self-signed certificate in certificate chain

. You now

  • have your cert.pem file

Configure git in

Trust this

certificate

Alternatively, you can use the entire -system instead

of -global You

can now clone the git repository without any “SSL certificate issue

Scenario 2: Vagabond – SSL certificate issue: Self-signed certificate in the certificate

chain If you’re sitting behind the corporate firewall, there’s a good chance that your inbound and outbound traffic is being monitored and disrupted.

Because of that, your company could generate a self-signed certificate and eventually result in “SSL certificate issue: self-signed certificate in certificate chain”

Workaround: (Not recommended, but you should add the self-signed certificate to the trust store instead. Continue reading more about how to trust self-signed certificate on different operating systems)

Go to your Vagrantfile and add box_download_insecure=true

Here is complete Vagrantfile, creates two virtual machines: a master node and a worker node

Once you add box_download_insecure=true in your vagrantfile file, you should be able to start your virtual machines successfully.

OS X trust

self-signed

SSL certificates You must first download the self-signed certificate. To download the self-signed certificate – How to download the self-signed certificate?

After downloading the self-signed certificate, you need to

add it to Keychain

Access First you need to

  1. locate where you have downloaded the self-signed certificate file .i.e.-

    2. cert.pem

  2. Now you need to open Keychain Access on your OS X

    3. You must

  3. drag the self-named certificate cert.pem to Keychain Access. You need

    4. to go to the certificates section and locate the certificate you just added

  4. Now double-click on the certificate (cert.pem), go to the trust section and under “When using this certificate”, select “Always trust”
  5. Great now that you’ve added the self-created certificate to your OS X truststore.

After you have completed the 6 steps to add a self-signed certificate to the OS X truststore. Run the vagrant up command

Get Windows 10 to trust

self-signed SSL certificates

You must first download the self-signed certificate. To download the self-signed certificate – How to download the self-signed certificate?

After

downloading the self-signed certificate

, you need to follow the steps:

    click the Windows key and start typing certmgr.msc

  1. Then you need to click on certmgr.msc, the certmgr window will open
  2. After that, you should look carefully in the left navigation pane “Certificates – Current User”
  4. Navigate the tree and search “Trusted Root Certification Authority

    5. – > Certificates ” Right click on Certificates ->

  5. All Tasks -> Import

  6. Welcome to the Certificate Import Wizard” will open

    7. Click Next

  7. Browser the cert.pem that you downloaded earlier and then click Next
  9. After that, you should mention the Certificate Store by default that you should have “Trusted Root Certificate Authorities

    10. “, then you should click next After that

  10. , you should click on “Finish”.
  11. Great now that you’ve imported the self-signed certificate into your Windows 10 truststore After running all 11

Steps mentioned above, you can now run the Vagabond command above

Get Ubuntu, Debian, and CentOS to trust

self-signed

SSL certificates You need to download the self-signed certificate first. To download the self-signed certificate – How to download the self-signed certificate?

Ubuntu and Debian

CentOS

In terms of CentOS is a little different

Scenario 3: npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN

One of the easiest ways to fix the problem is to disable or set to false strict-ssl

Note: Do not set strict-ssl false in production, it is always recommended to disable strict-ssl in the development environment when necessary.

The other problem could be that your npm is running on an older version

So try updating the npm using the following command

After that, tell your current version of npm to use know the loggers

Scenario 4: pip installation connection failure:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed

You

are trying to install Python and somewhere during the installation you noticed this problem.

The root cause of the problem is “certificate validation “. With the latest version of python, it’s getting stricter and your local machine can’t trust the host.

In simple words, we must tell our system to trust certificates that are associated with pypi.org, files.pythonhosted.org, etc.

Resolution

This command will allow you to trust the .i.e. host pypi.org and files.pythonhosted.org

Correction in the configuration file

(recommended)

There is one more way to work around this problem by adding the hosts to the .i.e. pip.ini or pip.conf configuration files depending on your operating system. Unix – In the Unix operating system

you can locate the file

in $HOME/.config/pip/pip.conf macOS – For the

mac user, the location should be $HOME/Library/Application Support/pip/pip.conf

Windows – For the window’s user it is located at %APPDATA%

\pip\pip.ini

Add the following global entry in pip.ini or pip.conf

*Note: read more here about how to fix Python SSL pip installation connection error CERTIFICATE_VERIFY_FAILED

Scenario 5: PHP – SSL certificate issue: Unable to obtain

certificate

from local issuer This could be one more scenario where you may have difficulty configuring the SSL certificate or certificate

package

I had this problem on my XAMPP server, so these are the steps I followed to fix the SSL certificate issue

  1. Download the certificate package from curl.haxx

  2. After downloading it, put your cacert-xxxx-xx-xx.pem file somewhere in the directory. In my case I kept the file in /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem

  3. Locate your php.ini file. If in case you are not sure how to find

php.ini use the command

This command should return it

with the location of php.ini In the

  1. php file.ini locate the openssl.cafile line and then update its value with /opt/lampp/share/curl/cacert-xxxx-xx-xx.pem
  1. After the upgrade, save the file and stop

the service

  1. Start the service again
  1. Following the steps above, should fix your

SSL certificate issue

Scenario 6: Postman Error: Self-Signed Certificate in Certificate Chain | Unable to get local issuer certificate error

I use the POSTMAN to test REST web services,

but as a general rule, REST web services are always secured with https. But

POSTMAN is the

third-party application that we usually use for testing purposes, so it is advisable to disable SSL certification verification

Goto ->

Setup POSTMAN Error: Self-Signed Certificate in Certificate Chain | Unable to get certificate error from local issuer

Hopefully it resolves your self-signed certificate to the certificate chain | Unable to get local issuer certificate issue

Note: –

Do not run your web service in production without https

Learn more about kubernetes – 14

steps to install kubernetes on Ubuntu 18.04 and 16.04

Scenario 7: Using GIT_SSL_CAINFO to accept certificates permanently

Git provides an environment variable GIT_SSL_CATINFO , this environment variable can be used to point to a specific certificate that you downloaded manually. Here is an example of setting the GIT_SSL_CAINFO environment variable for the my_custom_downloaded_certificate.pem

certificate

– Once you have added the GIT_SSL_CAINFO environment variable, you can clone the git repository without any self-signed certificate error. Because you have added the certificate permanently to the environment variable, which ultimately makes you trust that particular git repository.

Advantages of accepting the self-signed certificate

permanently

  1. You can avoid the man-in-the-middle attack because you are using a secure connection backed by a self-signed certificate

    2. .

  2. You don’t have to use less secure options like – http.sslVerify=fals or GIT_SSL_NO_VERIFY=true

Note- Read more about how to fix terraform x509 certificate signed by unknown authority?

admin