添加链接 注册    登录
link之家
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
任性的香瓜  ·  iOS ...·  3 周前    · 
小眼睛的西装  ·  数据库引擎事件和错误(7000 到 ...·  11 月前    · 
有腹肌的萝卜  ·  AI多模态模型架构之输入投影器:LP、MLP ...·  1 年前    · 
冷静的乌冬面  ·  接口测试小技巧:快速生成 python ...·  1 年前    · 
从容的青蛙  ·  fread函数详解 - 掘金·  1 年前    · 
link之家  ›  SELF_SIGNED_CERT_IN_CHAIN - Salesforce Developer Community
https://developer.salesforce.com/forums/?id=9062I000000DHFqQAO
打酱油的帽子
2 年前
Sign Up ›

Welcome to Support!

Search for an answer or ask a question of the zone or Customer Support.

Need help? Dismiss Show All Questions sorted by Date Posted

Show

sorted by

Prakash Rai 7 Prakash Rai 7

SELF_SIGNED_CERT_IN_CHAIN

Hi,
I get this error for 'sfdx force:org:list` or for any 'sfdx` command. I re-installed node, npm and sfdx cli without luck. My workaround is `export NODE_TLS_REJECT_UNAUTHORIZED=0` that is not ideal. Any suggestion?

Also `npm config ls -l` lists `cafile = "/etc/ssl/certs/xxxxxCA.pem` that does exist.

Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
Vinay Vinay (Salesforce Developers)
Check below references that can give more details of above error.

https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028
https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-chain

Thanks,
Prakash Rai 7 Prakash Rai 7
It happes to be the Netskope Client that was messing up the sfdx communication. I got it working fine now.
Pradeep Kalyan Lanke Pradeep Kalyan Lanke
@prakash would you mind sharing the steps you followed with Netskope installed? Thx
Prakash Rai 7 Prakash Rai 7
@pradeep, Netskope is installed by my company's security team that was blocking sfdx to work properly now it has been resolved. Sorry I do not know the details on Netskope settings.
Bro Tato Bro Tato
In my case, a company firewall was using a self-signed certificate, which is why Node (a dependency of sfdx) rejected the connection.

Cause
The problem was that the company firewall's certificate is self-signed (rather than being issued by a certificate authority). This can be observed by using openssl. Run the command openssl s_client -showcerts -connect salesforce.com:443 in the terminal that threw the self-signed error. The output of the openssl command shows the chain of certificates used by the connection request. Notice the "firewall_root" certificate has matching subject and issuer lines.

Connections with a self-signed certificate in the certificate chain are rejected by sfdx, because sfdx uses Node.js, and Node distrusts self-signed certificates by default, for security.

Resolution
1. Save the self-signed company firewall certificate to your computer by copying the certificate text from the openssl command output (including the "----- START/END CERTIFICATE -----" delimiters; copy the company firewall certificate only) to a new text file, and change the extension to ".pem" (dismiss the warning about changing file extensions).
2. Tell Node (and thereby sfdx) to trust the self-signed certificate. This can be done by setting the NODE_EXTRA_CA_CERTS environment variable with the command $Env:NODE_EXTRA_CA_CERTS = "C:\\path\\to\\newFirewallCert.pem" where the path is to your cert file.
3. You can now use sfdx again
Steve Cox 18 Steve Cox 18
Just to add some extra details. We have the same issue using a netskope security client. However, the above fix did not work. The solution was to create a combined cert bundle and use that. There are details on creating the bundle here:
https://docs.netskope.com/en/configuring-cli-based-tools-and-development-frameworks-to-work-with-netskope-ssl-interception.html

However, I found the mac script buggy. I used (zsh): % security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain/Library/Keychains/System.keychain > /tmp/nscacert_combined.pem % sudo cp /tmp/nscacert_combined.pem /Library/Application\ Support/Netskope/STAgent/download/ Note the first shell command line above is wrapping.

And then added the env variable:
export NODE_EXTRA_CA_CERTS='/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem'


 
推荐文章
任性的香瓜  ·  iOS UIView控件的常用属性和方法的总结 - 懒懒初阳 - 博客园
3 周前
小眼睛的西装  ·  数据库引擎事件和错误(7000 到 7999) - SQL Server | Microsoft Learn
11 月前
有腹肌的萝卜  ·  AI多模态模型架构之输入投影器:LP、MLP和Cross-Attention_ai 多模态输入-CSDN博客
1 年前
冷静的乌冬面  ·  接口测试小技巧:快速生成 python requests代码 - 知乎
1 年前
从容的青蛙  ·  fread函数详解 - 掘金
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
link之家 - 链接快照平台
© 2024 ~ 沪ICP备11025650号