相关文章推荐
坏坏的饭盒  ·  MATLAB一维数组求转置,反序输出-CSDN博客·  2 年前    · 
豪气的双杠  ·  Disabling ARR’s ...·  2 年前    · 
英姿勃勃的地瓜  ·  django初始化配置及创建数据库表-天翼云·  2 年前    · 
率性的红酒  ·  Python logging 模块之 ...·  2 年前    · 
强悍的毛豆  ·  authentication - ...·  2 年前    · 
Code  ›  SELF_SIGNED_CERT_IN_CHAIN - Salesforce Developer Community
https://developer.salesforce.com/forums/?id=9062I000000DHFqQAO
打酱油的帽子
3 年前
Sign Up ›

Welcome to Support!

Search for an answer or ask a question of the zone or Customer Support.

Need help? Dismiss Show All Questions sorted by Date Posted

Show

sorted by

Prakash Rai 7 Prakash Rai 7

SELF_SIGNED_CERT_IN_CHAIN

Hi,
I get this error for 'sfdx force:org:list` or for any 'sfdx` command. I re-installed node, npm and sfdx cli without luck. My workaround is `export NODE_TLS_REJECT_UNAUTHORIZED=0` that is not ideal. Any suggestion?

Also `npm config ls -l` lists `cafile = "/etc/ssl/certs/xxxxxCA.pem` that does exist.

Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
Vinay Vinay (Salesforce Developers)
Check below references that can give more details of above error.

https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028
https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-chain

Thanks,
Prakash Rai 7 Prakash Rai 7
It happes to be the Netskope Client that was messing up the sfdx communication. I got it working fine now.
Pradeep Kalyan Lanke Pradeep Kalyan Lanke
@prakash would you mind sharing the steps you followed with Netskope installed? Thx
Prakash Rai 7 Prakash Rai 7
@pradeep, Netskope is installed by my company's security team that was blocking sfdx to work properly now it has been resolved. Sorry I do not know the details on Netskope settings.
Bro Tato Bro Tato
In my case, a company firewall was using a self-signed certificate, which is why Node (a dependency of sfdx) rejected the connection.

Cause
The problem was that the company firewall's certificate is self-signed (rather than being issued by a certificate authority). This can be observed by using openssl. Run the command openssl s_client -showcerts -connect salesforce.com:443 in the terminal that threw the self-signed error. The output of the openssl command shows the chain of certificates used by the connection request. Notice the "firewall_root" certificate has matching subject and issuer lines.

Connections with a self-signed certificate in the certificate chain are rejected by sfdx, because sfdx uses Node.js, and Node distrusts self-signed certificates by default, for security.

Resolution
1. Save the self-signed company firewall certificate to your computer by copying the certificate text from the openssl command output (including the "----- START/END CERTIFICATE -----" delimiters; copy the company firewall certificate only) to a new text file, and change the extension to ".pem" (dismiss the warning about changing file extensions).
2. Tell Node (and thereby sfdx) to trust the self-signed certificate. This can be done by setting the NODE_EXTRA_CA_CERTS environment variable with the command $Env:NODE_EXTRA_CA_CERTS = "C:\\path\\to\\newFirewallCert.pem" where the path is to your cert file.
3. You can now use sfdx again
Steve Cox 18 Steve Cox 18
Just to add some extra details. We have the same issue using a netskope security client. However, the above fix did not work. The solution was to create a combined cert bundle and use that. There are details on creating the bundle here:
https://docs.netskope.com/en/configuring-cli-based-tools-and-development-frameworks-to-work-with-netskope-ssl-interception.html

However, I found the mac script buggy. I used (zsh): % security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain/Library/Keychains/System.keychain > /tmp/nscacert_combined.pem % sudo cp /tmp/nscacert_combined.pem /Library/Application\ Support/Netskope/STAgent/download/ Note the first shell command line above is wrapping.

And then added the env variable:
export NODE_EXTRA_CA_CERTS='/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem'


 
推荐文章
坏坏的饭盒  ·  MATLAB一维数组求转置,反序输出-CSDN博客
2 年前
豪气的双杠  ·  Disabling ARR’s Instance Affinity in Windows Azure Web Sites | Azure Blog | Microsoft Azure
2 年前
英姿勃勃的地瓜  ·  django初始化配置及创建数据库表-天翼云
2 年前
率性的红酒  ·  Python logging 模块之 logging.basicConfig 用法和参数详解_logging.basicconfig()_Sir静堂的博客-CSDN博客
2 年前
强悍的毛豆  ·  authentication - docker login - error storing credentials - write permissions error - Stack Overflow
2 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
Code - 代码工具平台
© 2024 ~ 沪ICP备11025650号