SSL Certificate Problem Self Signed Certificate In Certificate Chain

3 Ways to fix : SSL certificate problem: self signed certificate in certificate chain

You can end with “SSL certificate issue: self-signed certificate in the certificate chain” in multiple cases, but with my experience these are the most common scenario (for more details, click on individual scenarios)

    1. Scenario 1 – Git Clone – Unable to clone remote repository: SSL certificate problem: Certificate automatically signed in the chain of certificates
    2. Scenario 2 – Vagrant Up – SSL certificate issue: Self-signed certificate in the chain of certificates
    3. Scenario 3 – Node.js-ERR npm! Error: SSL: SELF SIGNED CERT IN CHAIN error
    4. Scenario 4 – pip instal – pip instal connexion error: the certificate [SSL: CERTIFICATE VERIFY FAILED] failed to verify

Scenario 1: Git clone – SSL certificate issue: Self-signed certificate in the chain of certificates

It is one of the most frequent scenarios where you sit behind the corporate firewall.

All traffic is intercepted by corporate firewall, replacing the certificate and adding their own self-signed certificate after that.

Nobody recognizes the self-signed certificate apart from you or your organisation and this causes the problem of SSL certificates: self-signed certificates in the chain of certificates

Workaround-( No recommendation)

Disable Git SSL verification while repository is cloned

Git -c http.sslVerify = fake https:/example.com/path/to/git clone

If you own the Git Repo then you can disable the ssl verification globally

Git config —global http.sslConfigure false

Resolution-Configure Git to trust the certificate signed by itself

To make the problem “SSL certificate problem: self-signed certificate in the chain of certificates” more accurate, we need-

  • Get certificate signed by yourself
  • In – ~/git-certs / cert.pem put / save
  • Set git by the http.sslCAInfo parameter to trust this certificate

Let ‘s assume the git server URL is github.com, and we need access over port 443 to get the self-signed certificate.

Openssl: To obtain a self-signed certificate (if you have not installed Openssl, skip this section and move to next section)

$s client openssl -connect to github.com:443

The openssl command above will issue a certificate singing by itself as below

-----BEGIN CERTIFICATE-----
MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
-----END CERTIFICATE-----

The self-signed certificate string above must be stored in cert.pem file

Now you have the certificate you signed yourself using openssl

(Please refer to-https://www.openssl.org/) for openssl installation

Firefox: To get certificate signed by yourself

If you don’t have openssl then you can use your browser to download the self-signed certificate (I would recommend using firefox).

Open URL in browser (We use htts:/github.com in our case)
Click on the URL-bar lock

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link

Certificate issued to: GitHub, Inc.
After that click on the arrow near Secure Connection

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link

Certificate issued to: GitHub, Inc.
Now you must click the

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link

Certificate issued to: GitHub, Inc.
After a new window is opened, click on the Certificate view.

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link

Certificate issued to: GitHub, Inc.
It will redirect you to the Configuration page for certificates

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link

Certificate issued to: GitHub, Inc.
Scroll down and see PEM (cert)PEM (chain) Download

SSL certificate problem certificate self signed certificate in chain of certificates. Secure Link Certificate issued to: GitHub, Inc.

  • Now you’ve got your file Cert.pem
  • Set git to trust that certificate

$git config — http.sslCAInfo /home / jhooq / git-certs / cert.pem global

You can also use system wide —system instead of —global

Now you can clone a git repo without any problem with “SSL certificate”

Scenario 2: vagrant up – problem with SSL certificates: self-signed certificates in chain of certificates

If you’re sitting behind the corporate firewall then there’s a lot of chance your incoming and outbound traffic will be monitored and interrupted.

Because your company could generate a self-signed certificate which eventually results in “SSL certificate problem: self-signed certificate in the chain of certificates”

$ vagrant up
Bringing machine 'master' up with 'virtualbox' provider...
Bringing machine 'worker' up with 'virtualbox' provider...
==> master: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
    master: Box Provider: virtualbox
    master: Box Version: >= 0
==> master: Loading metadata for box 'hashicorp/bionic64'
    master: URL: https://vagrantcloud.com/hashicorp/bionic64
==> master: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
    master: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

SSL certificate problem: self signed certificate in certificate chain

SSL certificate issue: Self-signed certificate in the chain of certificates
Workaround – (It is not recommended but you should add the self-signed certificate to the trust store. Continue reading on how to trust the self-signed certificate on different operating systems)
Go and add box download insecure = true to your Vagrantfile

Master.vm.box download insecure = Real

Here’s Vagrantfile complete, it creates two VMs – one master node and one worker node

Do Vagrant.configure(“2)
Master config.vm.define do
Master.vm.box download insecure = Real
Master.vm.box = “bionic64 / hashicorp”
“Private network” master.vm.network, ip: “100.0.0.1”
Hostname master.vm.= “master”
Virtualbox provider master.vm.do
V.Name = “Boss”
V.memories = 2048
V.cpus = to 2
Ending
End of

“Worker” to config.vm.define do
Working class.vm.box download insecure = true
Worker.vm.box = “axe / bionic64”
“Private network” worker.vm.network, ip: “100.0.0.2”
Worker.vm.hostname = “operator”
Worker.vm.provider do “virtual box”
V.Name = “labourer”
V.memories = 1024
In v.cpus = 1
End of
End of

End of

Once you add box download insecure = true to your vagrantfile then you should be able to successfully start your VMs