Understanding Self-Signed Certificate in Chain Issues on Node.js, npm, Git and other applications

Jônatas Castro
Feb 27 · 4 min read

I work at a company that has a hard Information Security politic. Since it is a big company, we have a strong firewall that goes from the lowest layer on the network to the application layer. It means that each package that comes from the internet is intercepted and opened by our firewall.

Broadly, whenever a package goes under an SSL/TSL connection, the firewall needs to “open” it to check the content and “close” again attaching a new certificate to not break the protocol. Just to clarify, when you make an HTTPS request, you are using an SSL/TSL connection actually.

However, this is a certificate that is provided by our own company. When this package arrives in our machine, it comes with our own self-signed certificate. If you click on the lock icon near the URL address bar, you can see the certificate information.

Browser icon https status

Because of that, our company should provide this certificate on the operational system store, so that, the applications will know that our self-signed certificate can be trusted. Each operating system provides a way to manage the certificates and Certificate Authorities (CAs). Hence, the browser provides its own trusted list of CAs, but it should go to the operating system to check other certificates.

Windows, for example, has its own certificate manager. At Linux-based systems, you put your certificate files (.pem, .cer…) at a specific folder like: /etc/ssl/certs

Windows Certificate Manager. For more information about the Windows Certificate Manager: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/managing-certificates-with-certificate-stores

The issue begins when applications and dev tools need to access this certificate store. Some applications are ready to do it automatically. Others, just don’t provide that feature. So, what to do? You should set up your application to see your self-signed certificates. Each application or dev tool provides a way to make that.

Sometimes you don’t want to set up your application to see your certificate and you just want to bypass SSL verification. Just to exemplify this verification, you have probably had an opportunity to see SSL connection error screen on Chome. It gives you a chance to bypass if you click on the “Advanced” button and assume the risks.

SSL connection error screen on Google Chrome

So what are the risks with bypassing? The reason the packages come with a certificate and you should assure that it is valid is to prevent the “man-in-the-middle” attack. It means that the certificate attached to the package is a way to be sure that the package was not modified from the origin to the destination (your machine). A package can go through a bunch of network nodes before it arrives in your machine. You may have hackers trying to inject malicious code into your package.

The certificate that comes with the package must be verified with a CA. The Certificate Manager from your machine should have a list of CAs that can be trusted. Nevertheless, when you have a self-signed certificate, the certificate is emitted by your company or your own. Thus you have to make the application believes that this self-signed is trusted as you load it in your operating system’s certificate manager or in the application API. If you don’t make it, you will probably get a Self-signed Certificate in Chain issue.

After understanding the idea behind Self-signed Certificates in Chain issue, let’s go through some setting.

On npm

On Node Package Manager you have two options: bypass or set a certificate file.

Bypassing (risky!)

npm config set strict-ssl false --global

Setting a certificate file

npm config set cafile /path/to/your/cert.pem --global

On Node.js

Sometimes, we have some problems when installing Node.js-based applications. Even setting a certificate file in npm, some installation packages rely on https libraries that don’t read npm settings. You may get an error like this: at bootstrapNodeJSCore ... code: 'SELF_SIGNED_CERT_IN_CHAIN'

So you can try to set a specific environment variable before running your Node.js-based script:

Bypassing (risky!)

set NODE_TLS_REJECT_UNAUTHORIZED=0

Setting a certificate file

set NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem

On Git

If you have a problem with Git like SSL certificate problem: self signed certificate in certificate chain you may try:

Bypassing (risky!)

git config http.sslVerify false

Setting a certificate file

git config http.sslCAinfo /your/path/to/cacert-client.pem

On PyPi

PyPi is the Python package manager. If you get this error when trying to install a package,[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed, you can try setting some parameters withpip install:

Bypassing (risky!)

pip install <package_name> --trusted-host pypi.python.org

Setting a certificate file

pip install --cert /path/to/your/cert.pem

Some References and Useful Links:

Jônatas Castro

Written by

A passionate full stack developer who brings creative ideas from areas including UI/UX design, API design, and digital marketing

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade