添加链接 注册    登录
link之家
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
神勇威武的跑步机  ·  十年前詹姆斯“决定”大揭秘 ...·  3 月前    · 
仗义的楼房  ·  驻冰岛大使金智健赴诺娃(Nova)公司参观调研·  8 月前    · 
玩足球的爆米花  ·  计划年内上市,新款美规雷克萨斯RX ...·  1 年前    · 
潇洒的茶壶  ·  #电影诛烬枭亡是加强版狂飙 - 抖音·  1 年前    · 
直爽的电脑桌  ·  高能来袭_百度百科·  1 年前    · 
link之家  ›  SELF_SIGNED_CERT_IN_CHAIN - Salesforce Developer Community
https://developer.salesforce.com/forums/?id=9062I000000DHFqQAO
打酱油的帽子
2 年前
Sign Up ›

Welcome to Support!

Search for an answer or ask a question of the zone or Customer Support.

Need help? Dismiss Show All Questions sorted by Date Posted

Show

sorted by

Prakash Rai 7 Prakash Rai 7

SELF_SIGNED_CERT_IN_CHAIN

Hi,
I get this error for 'sfdx force:org:list` or for any 'sfdx` command. I re-installed node, npm and sfdx cli without luck. My workaround is `export NODE_TLS_REJECT_UNAUTHORIZED=0` that is not ideal. Any suggestion?

Also `npm config ls -l` lists `cafile = "/etc/ssl/certs/xxxxxCA.pem` that does exist.

Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
Vinay Vinay (Salesforce Developers)
Check below references that can give more details of above error.

https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028
https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-chain

Thanks,
Prakash Rai 7 Prakash Rai 7
It happes to be the Netskope Client that was messing up the sfdx communication. I got it working fine now.
Pradeep Kalyan Lanke Pradeep Kalyan Lanke
@prakash would you mind sharing the steps you followed with Netskope installed? Thx
Prakash Rai 7 Prakash Rai 7
@pradeep, Netskope is installed by my company's security team that was blocking sfdx to work properly now it has been resolved. Sorry I do not know the details on Netskope settings.
Bro Tato Bro Tato
In my case, a company firewall was using a self-signed certificate, which is why Node (a dependency of sfdx) rejected the connection.

Cause
The problem was that the company firewall's certificate is self-signed (rather than being issued by a certificate authority). This can be observed by using openssl. Run the command openssl s_client -showcerts -connect salesforce.com:443 in the terminal that threw the self-signed error. The output of the openssl command shows the chain of certificates used by the connection request. Notice the "firewall_root" certificate has matching subject and issuer lines.

Connections with a self-signed certificate in the certificate chain are rejected by sfdx, because sfdx uses Node.js, and Node distrusts self-signed certificates by default, for security.

Resolution
1. Save the self-signed company firewall certificate to your computer by copying the certificate text from the openssl command output (including the "----- START/END CERTIFICATE -----" delimiters; copy the company firewall certificate only) to a new text file, and change the extension to ".pem" (dismiss the warning about changing file extensions).
2. Tell Node (and thereby sfdx) to trust the self-signed certificate. This can be done by setting the NODE_EXTRA_CA_CERTS environment variable with the command $Env:NODE_EXTRA_CA_CERTS = "C:\\path\\to\\newFirewallCert.pem" where the path is to your cert file.
3. You can now use sfdx again
Steve Cox 18 Steve Cox 18
Just to add some extra details. We have the same issue using a netskope security client. However, the above fix did not work. The solution was to create a combined cert bundle and use that. There are details on creating the bundle here:
https://docs.netskope.com/en/configuring-cli-based-tools-and-development-frameworks-to-work-with-netskope-ssl-interception.html

However, I found the mac script buggy. I used (zsh): % security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain/Library/Keychains/System.keychain > /tmp/nscacert_combined.pem % sudo cp /tmp/nscacert_combined.pem /Library/Application\ Support/Netskope/STAgent/download/ Note the first shell command line above is wrapping.

And then added the env variable:
export NODE_EXTRA_CA_CERTS='/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem'


 
推荐文章
神勇威武的跑步机  ·  十年前詹姆斯“决定”大揭秘 那一天究竟发生了什么?_腾讯新闻
3 月前
仗义的楼房  ·  驻冰岛大使金智健赴诺娃(Nova)公司参观调研
8 月前
玩足球的爆米花  ·  计划年内上市,新款美规雷克萨斯RX 450h+_搜狐汽车_搜狐网
1 年前
潇洒的茶壶  ·  #电影诛烬枭亡是加强版狂飙 - 抖音
1 年前
直爽的电脑桌  ·  高能来袭_百度百科
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
link之家 - 链接快照平台
© 2024 ~ 沪ICP备11025650号