Openssl : error "self signed certificate in certificate chain"

openssl error messages
openssl error codes
openssl error string
openssl error string example
openssl error php
openssl error queue
openssl get error
openssl ssl_get_error string

When I used openssl APIs to validate server certificate (self signed), I got following error :

error 19 at 1 depth lookup:self signed certificate in certificate chain

As per openssl documentation, this error (19) is

"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally."

Why this error occurs ? Any problems with my server certificate ?

You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.

To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.

Have a look at this link about installing self-signed certificates.

OpenSSL/Error handling, The failure result is often 0, but some functions like ssl_connect() may also return -1 on errors, so it is safest to compare against 1 for success, rather than against 0 � This error occurs when the peer responds with something that doesn't look like TLS. Are you able to capture a wireshark trace of the failing connection?

Here is one-liner to verify certificate chain:

openssl verify -verbose -x509_strict -CAfile ca.pem cert_chain.pem

This doesn't require to install CA anywhere.

See How does an SSL certificate chain bundle work? for details.

/docs/man1.1.0/man3/ERR_get_error.html, ERR_get_error() returns the earliest error code from the thread's error queue and removes the entry. This function can be called repeatedly until there are no� ERR_get_error () returns the earliest error code from the thread's error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return. So the latter is for more general use and those shouldn't be used together, because:

The solution for the error is to add this line at the top of the code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

/docs/man1.0.2/man3/err.html, When a call to the OpenSSL library fails, this is usually signalled by the return value, and an error code is stored in an error queue associated with the current thread. The err library provides functions to obtain these error codes and textual error messages. OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page.

If you're running Charles and trying to build a docker container then you'll most likely get this error.

Make sure to disable Charles (macos) proxy under proxy -> macOS proxy

Charles is an

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

So anything similar may cause the same issue.

Interpreting OpenSSL Error Messages, Here is a typical OpenSSL error message that is caused by failing to set the SSLDIR environment variable to a directory containing openssl. cnf: C:\Program Files\Micro Focus\DemoCA>openssl ca -revoke srvsert3. p12 Using configuration from /usr/local/ssl/openssl. If I build OpenSSL for Windows dynamically, it compiles fine in a project: perl Configure VC-WIN32 --prefix=C:\OpenSSL-shared --openssldir=C:\OpenSSL-shared nmake nmake install However, if I build OpenSSL statically, I get a number of unresolved symbol errors when compiling:

Troubleshooting Certificate Problems, openssl s_client -showcerts -connect <myserver>:<ssl_port> Error 19 status is expected, because the CA root certificate in all certificate chains is self-signed. DESCRIPTION ERR_print_errors () is a convenience function that prints the error strings for all errors that OpenSSL has recorded to bp, thus emptying the error queue. ERR_print_errors_fp () is the same, except that the output goes to a FILE.

OpenSSL error reason and function codes � GitHub, OpenSSL error reason and function codes. 1_0_1-openssl-err.rs. // Generated by https://gist.github.com/64/8ac13019f4faa491018aab6b5c265141. extern crate� NAME. X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information

How to troubleshoot SSL connections with openssl, OpenSSL is an open-source implementation of the SSL and TLS protocols. verify error:num=18:self signed certificate verify return:1� The error message indicates the connection failed because OpenSSL was unable to verify the server certificate. If you are seeing an error when you create a new Rails application, it is likely that you need to update OpenSSL certificate files on your computer.

Comments
  • i would consider this a work around or an option for testing. it should not be persistant because it undermines the available security.
  • This seems to be specific to Node.js, if I'm not mistaken.