Sign Up ›

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Prakash Rai 7Prakash Rai 7 

SELF_SIGNED_CERT_IN_CHAIN

Hi,
I get this error for 'sfdx force:org:list` or for any 'sfdx` command. I re-installed node, npm and sfdx cli without luck. My workaround is `export NODE_TLS_REJECT_UNAUTHORIZED=0` that is not ideal. Any suggestion?

Also `npm config ls -l` lists `cafile = "/etc/ssl/certs/xxxxxCA.pem` that does exist. 

Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
VinayVinay (Salesforce Developers) 
Check below references that can give more details of above error.

https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028
https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-chain

Thanks,
Prakash Rai 7Prakash Rai 7
It happes to be the Netskope Client that was messing up the sfdx communication. I got it working fine now.
Pradeep Kalyan LankePradeep Kalyan Lanke
@prakash would you mind sharing the steps you followed with Netskope installed? Thx 
Prakash Rai 7Prakash Rai 7
@pradeep, Netskope is installed by my company's security team that was blocking sfdx to work properly now it has been resolved. Sorry I do not know the details on Netskope settings.
Bro TatoBro Tato
In my case, a company firewall was using a self-signed certificate, which is why Node (a dependency of sfdx) rejected the connection.
 
Cause
The problem was that the company firewall's certificate is self-signed (rather than being issued by a certificate authority). This can be observed by using openssl. Run the command 
openssl s_client -showcerts -connect salesforce.com:443
in the terminal that threw the self-signed error. The output of the openssl command shows the chain of certificates used by the connection request. Notice the "firewall_root" certificate has matching subject and issuer lines.
 
Connections with a self-signed certificate in the certificate chain are rejected by sfdx, because sfdx uses Node.js, and Node distrusts self-signed certificates by default, for security.
 
Resolution
1. Save the self-signed company firewall certificate to your computer by copying the certificate text from the openssl command output (including the "----- START/END CERTIFICATE -----" delimiters; copy the company firewall certificate only) to a new text file, and change the extension to ".pem" (dismiss the warning about changing file extensions).
2. Tell Node (and thereby sfdx) to trust the self-signed certificate. This can be done by setting the NODE_EXTRA_CA_CERTS environment variable with the command 
$Env:NODE_EXTRA_CA_CERTS = "C:\\path\\to\\newFirewallCert.pem"
where the path is to your cert file.
3. You can now use sfdx again
 
Steve Cox 18Steve Cox 18
Just to add some extra details. We have the same issue using a netskope security client. However, the above fix did not work. The solution was to create a combined cert bundle and use that. There are details on creating the bundle here:
https://docs.netskope.com/en/configuring-cli-based-tools-and-development-frameworks-to-work-with-netskope-ssl-interception.html

However, I found the mac script buggy. I used (zsh): 
% security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain/Library/Keychains/System.keychain > /tmp/nscacert_combined.pem

% sudo cp /tmp/nscacert_combined.pem /Library/Application\ Support/Netskope/STAgent/download/
Note the first shell command line above is wrapping.

And then added the env variable:
  
export NODE_EXTRA_CA_CERTS='/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem'