Understanding Self-Signed Certificate in Chain Issues on Node.js, npm, Git, and other applications

I worked for a company that has a hard Information Security policy. Since it’s a big company, it has a strong firewall that covers all layers at the network. Thus, each package that comes from the internet is intercepted and opened by that firewall.

Broadly, whenever a packet goes under an SSL/TSL connection, the firewall needs to “open” it to check the content and “close” again attaching a new certificate to not break the protocol. Just to clarify, when you make an HTTPS request, you are using an SSL/TSL connection actually.

However, this is a certificate that is provided by our own company. When this package arrives in our machine, it comes with our own self-signed certificate. If you click on the lock icon near the URL address bar, you can see the certificate information.

Image for post
Image for post
Browser icon https status

Because of that, our company should provide this certificate on the operational system store, so that, the applications will know that our self-signed certificate can be trusted. Each operating system provides a way to manage the certificates and Certificate Authorities (CAs). Hence, the browser provides its own trusted list of CAs, but it should go to the operating system to check other certificates.

Windows, for example, has its own certificate manager. At Linux-based systems, you put your certificate files (.pem, .cer…) at a specific folder like: /etc/ssl/certs

Image for post
Image for post
Windows Certificate Manager. For more information about the Windows Certificate Manager: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/managing-certificates-with-certificate-stores

The issue begins when applications and dev tools need to access this certificate store. Some applications are ready to do it automatically. Others, just don’t provide that feature. So, what to do? You should set up your application to see your self-signed certificates. Each application or dev tool provides a way to make that.

Sometimes you don’t want to set up your application to see your certificate and you just want to bypass SSL verification. Just to exemplify this verification, you have probably had an opportunity to see SSL connection error screen on Chome. It gives you a chance to bypass if you click on the “Advanced” button and assume the risks.

Image for post
Image for post
SSL connection error screen on Google Chrome

So what are the risks with bypassing? The reason is that the packages come with a certificate and you should ensure that this certificate is valid so that you prevent the “man-in-the-middle” attack. It means that the certificate attached to the package is a way to be sure that the package was not modified from the origin to the destination (your machine). A package can go through a bunch of network nodes before it arrives in your machine. You may have hackers trying to inject malicious code into your package.

The certificate that comes with the package must be verified with a CA. The Certificate Manager from your machine should have a list of CAs that can be trusted. Nevertheless, when you have a self-signed certificate, the certificate is emitted by your company or your own. Thus you have to make the application believes that this self-signed is trusted as you load it in your operating system’s certificate manager or in the application API. If you don’t make it, you will probably get a Self-signed Certificate in Chain issue.

After understanding the idea behind Self-signed Certificates in Chain issue, let’s go through some setting.

On npm

On Node Package Manager you have two options: bypass or set a certificate file.

Bypassing (risky!)

npm config set strict-ssl false --global

Setting a certificate file

npm config set cafile /path/to/your/cert.pem --global

On Node.js

Sometimes, we have some problems when installing Node.js-based applications. Even setting a certificate file in npm, some installation packages rely on https libraries that don’t read npm settings. You may get an error like this: at bootstrapNodeJSCore ... code: 'SELF_SIGNED_CERT_IN_CHAIN'

So you can try to set a specific environment variable before running your Node.js-based script:

Bypassing (risky!)

set NODE_TLS_REJECT_UNAUTHORIZED=0

Setting a certificate file

set NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem

On Git

If you have a problem with Git like SSL certificate problem: self signed certificate in certificate chain you may try:

Bypassing (risky!)

git config http.sslVerify false

Setting a certificate file

git config http.sslCAinfo /your/path/to/cacert-client.pem

On PyPi

PyPi is the Python package manager. If you get this error when trying to install a package,[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed, you can try setting some parameters withpip install:

Bypassing (risky!)

pip install <package_name> --trusted-host pypi.python.org

Setting a certificate file

pip install --cert /path/to/your/cert.pem

Some References and Useful Links:

Written by

A passionate full stack developer who brings creative ideas from areas including UI/UX design, API design, and digital marketing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store