I worked for a company that has a hard Information Security policy. Since it?s a big company, it has a strong firewall that covers all layers at the network. Thus, each package that comes from the internet is intercepted and opened by that firewall.
Broadly, whenever a packet goes under an SSL/TSL connection, the firewall needs to ?open? it to check the content and ?close? again attaching a new certificate to not break the protocol. Just to clarify, when you make an HTTPS request, you are using an SSL/TSL connection actually.
However, this is a certificate that is provided by our own company. When this package arrives in our machine, it comes with our own self-signed certificate. If you click on the lock icon near the URL address bar, you can see the certificate information.
Browser icon https status
Because of that, our company should provide this certificate on the operational system store, so that, the applications will know that our self-signed certificate can be trusted. Each operating system provides a way to manage the certificates and Certificate Authorities (CAs). Hence, the browser provides its own trusted list of CAs, but it should go to the operating system to check other certificates.
Windows, for example, has its own certificate manager. At Linux-based systems, you put your certificate files (.pem, .cer?) at a specific folder like: /etc/ssl/certs
Windows Certificate Manager. For more information about the Windows Certificate Manager: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/managing-certificates-with-certificate-stores
The issue begins when applications and dev tools need to access this certificate store. Some applications are ready to do it automatically. Others, just don?t provide that feature. So, what to do? You should set up your application to see your self-signed certificates. Each application or dev tool provides a way to make that.
Sometimes you don?t want to set up your application to see your certificate and you just want to bypass SSL verification. Just to exemplify this verification, you have probably had an opportunity to see SSL connection error screen on Chome. It gives you a chance to bypass if you click on the ?Advanced? button and assume the risks.
SSL connection error screen on Google Chrome
So what are the risks with bypassing? The reason is that the packages come with a certificate and you should ensure that this certificate is valid so that you prevent the ?man-in-the-middle? attack. It means that the certificate attached to the package is a way to be sure that the package was not modified from the origin to the destination (your machine). A package can go through a bunch of network nodes before it arrives in your machine. You may have hackers trying to inject malicious code into your package.
The certificate that comes with the package must be verified with a CA. The Certificate Manager from your machine should have a list of CAs that can be trusted. Nevertheless, when you have a self-signed certificate, the certificate is emitted by your company or your own. Thus you have to make the application believes that this self-signed is trusted as you load it in your operating system?s certificate manager or in the application API. If you don?t make it, you will probably get a Self-signed Certificate in Chain issue.
After understanding the idea behind Self-signed Certificates in Chain issue, let?s go through some setting.
On npm
On Node Package Manager you have two options: bypass or set a certificate file.
Bypassing (risky!)
npm config set strict-ssl false –global
Setting a certificate file
npm config set cafile /path/to/your/cert.pem –global
On Node.js
Sometimes, we have some problems when installing Node.js-based applications. Even setting a certificate file in npm, some installation packages rely on https libraries that don?t read npm settings. You may get an error like this: at bootstrapNodeJSCore … code: ‘SELF_SIGNED_CERT_IN_CHAIN’
So you can try to set a specific environment variable before running your Node.js-based script:
Bypassing (risky!)
set NODE_TLS_REJECT_UNAUTHORIZED=0
Setting a certificate file
set NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem
On Git
If you have a problem with Git like SSL certificate problem: self signed certificate in certificate chain you may try:
Bypassing (risky!)
git config http.sslVerify false
Setting a certificate file
git config http.sslCAinfo /your/path/to/cacert-client.pem
On PyPi
PyPi is the Python package manager. If you get this error when trying to install a package,[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed, you can try setting some parameters withpip install:
Bypassing (risky!)
pip install <package_name> –trusted-host pypi.python.org
Setting a certificate file
pip install –cert /path/to/your/cert.pem
Some References and Useful Links:
