How to Fix Openssl Error: Self Signed Certificate in Certificate Chain on Linux

Avatar

By squashlabs, Last Updated: October 16, 2023

How to Fix Openssl Error: Self Signed Certificate in Certificate Chain on Linux

If you encounter the “Self Signed Certificate in Certificate Chain” error when working with OpenSSL on Linux, there are several steps you can take to resolve the issue. This error typically occurs when the certificate chain of a self-signed certificate is not properly configured or recognized by OpenSSL. Below are two possible solutions to fix this error.

Solution 1: Add the Root Certificate to the Trusted Certificate Authorities

One way to resolve the “Self Signed Certificate in Certificate Chain” error is to add the root certificate to the trusted certificate authorities on your Linux system. Follow these steps:

1. Locate the root certificate file (.crt or .pem) that corresponds to the self-signed certificate you are using.
2. Copy the root certificate file to the appropriate directory where your Linux system stores trusted certificates. This directory is typically /etc/ssl/certs/.
3. Update the trusted certificates index by running the following command:

sudo update-ca-certificates

4. Restart any services or applications that use OpenSSL to ensure they recognize the updated trusted certificates.

Related Article: Troubleshooting: Unable to Save Bash Scripts in Vi on Linux

Solution 2: Disable Certificate Verification in OpenSSL

If you are in a development or testing environment and do not require strict certificate verification, you can disable certificate verification in OpenSSL. Note that disabling certificate verification may expose your system to security risks, so use this solution with caution and only in non-production environments. Follow these steps:

1. Open the OpenSSL configuration file (openssl.cnf) in a text editor. The location of this file may vary depending on your Linux distribution, but it is commonly found in /etc/ssl/ or /etc/pki/.
2. Locate the [system_default_sect] section in the configuration file.
3. Add or modify the following line to disable certificate verification:

verify = none

4. Save the configuration file and exit the text editor.
5. Retry the operation that was producing the “Self Signed Certificate in Certificate Chain” error. OpenSSL will now skip certificate verification.

Best Practices

When working with self-signed certificates, it is important to keep the following best practices in mind:

– Self-signed certificates should only be used in development or testing environments. In production environments, it is recommended to use certificates signed by a trusted certificate authority (CA).
– If you are using self-signed certificates for testing purposes, ensure that you properly secure your test environment to mitigate potential security risks.
– Regularly check the validity of your self-signed certificates and regenerate them as needed. Self-signed certificates typically have shorter expiration periods compared to certificates signed by CAs.
– When sharing self-signed certificates with others, ensure that they securely obtain and verify the certificate’s fingerprint or other identifying information to prevent potential man-in-the-middle attacks.

Example OpenSSL Command

Here is an example of an OpenSSL command that uses a self-signed certificate and key to establish an SSL/TLS connection:

openssl s_client -connect example.com:443 -cert path/to/certificate.crt -key path/to/private.key

In this command:
example.com:443 represents the hostname and port to connect to.
path/to/certificate.crt is the path to the self-signed certificate file.
path/to/private.key the path to the private key corresponding to the certificate.

Related Article: Fixing the 'Linux Username Not In The Sudoers File' Error

More Articles from the The Linux Guide: From Basics to Advanced Concepts series:

How to Fix ‘Undefined Reference to pthread_create’ in Linux

A guide to address the 'Undefined Reference to pthread_create' issue in Linux. This article covers checking for the pthread library installation, adding the -pthread... read more