Openssl : error “self signed certificate in certificate chain”

主宰稳场 提交于 2021-02-07 04:45:52

问题


When I used openssl APIs to validate server certificate (self signed), I got following error :

error 19 at 1 depth lookup:self signed certificate in certificate chain

As per openssl documentation, this error (19) is

"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally."

Why this error occurs ? Any problems with my server certificate ?


回答1:


You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.

To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.

Have a look at this link about installing self-signed certificates.




回答2:


Here is one-liner to verify certificate chain:

openssl verify -verbose -x509_strict -CAfile ca.pem cert_chain.pem

This doesn't require to install CA anywhere.

See How does an SSL certificate chain bundle work? for details.




回答3:


If you're running Charles and trying to build a docker container then you'll most likely get this error.

Make sure to disable Charles (macos) proxy under proxy -> macOS proxy

Charles is an

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

So anything similar may cause the same issue.




回答4:


The solution for the error is to add this line at the top of the code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";


来源:https://stackoverflow.com/questions/12180552/openssl-error-self-signed-certificate-in-certificate-chain

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!