SSL/TLS / SSL/TLS

SSL self signed certificate in certificate chain

Fix self signed certificate in certificate chain errors in Node.js, npm, Git, and corporate networks.

Partial source Last updated May 10, 2026 1 source Needs local verification

Category: SSL/TLS
Error signature: self signed certificate in certificate chain
Quick fix: Install the trusted root certificate and configure the affected tool to use the correct CA bundle.
Updated: May 10, 2026
Verification status: Partial source
Evidence: 1 public source URL

Before you change production

This page includes public URLs, but the Markdown record does not consistently mark them under Sources checked. Treat the links as supporting context rather than complete verification.

Reproduce the smallest failing action and save non-secret logs before changing configuration.
Check versions for SSL/TLS, related SDKs, package managers, CI runners, and hosting providers.
Change one setting or dependency at a time, then rerun the same failing command or request.
Avoid destructive commands, credential rotation, billing changes, or security relaxations without a rollback plan.

What this error means

self signed certificate in certificate chain means name resolution, origin connectivity, or TLS certificate validation failed before the application request could complete.

Why this happens

DNS and TLS failures often happen outside the application: resolver cache, authoritative records, proxy mode, origin firewall, or CA trust.

For SSL self signed certificate in certificate chain, separate DNS, CDN/proxy, origin, and certificate checks instead of changing app code first.

Common causes

Corporate proxy intercepts HTTPS traffic
Private registry uses an internal CA
Local trust store does not include the signing root
Certificate chain is misconfigured

Quick fixes

Check the exact hostname, not just the apex domain.
Install the trusted root certificate and configure the affected tool to use the correct CA bundle.
Compare direct origin behavior with proxied/CDN behavior when possible.
Retry after DNS TTL or certificate deployment has had time to propagate.

Copy-paste commands

Query DNS records

dig example.com A

dig example.com CNAME

Check HTTP response headers

curl -I https://example.com

Inspect TLS certificate chain

openssl s_client -connect example.com:443 -servername example.com </dev/null

Flush macOS DNS cache

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Platform-specific fixes

macOS

Use dscacheutil to clear local DNS cache after changing records.

Linux

Use dig or resolvectl query to compare resolver answers.

Windows

Use ipconfig /flushdns after DNS changes, then retest the exact hostname.

Real-world fixes

If Cloudflare is enabled, test whether the origin responds when accessed directly.
If only one network fails, compare DNS resolver answers before changing server config.
Install the trusted root certificate and configure the affected tool to use the correct CA bundle.

Step-by-step troubleshooting

Confirm the browser, client, or log reports self signed certificate in certificate chain for the same hostname.
Use dig to verify the authoritative DNS answer.
Use curl -I to check whether the hostname reaches the expected service.
Use openssl s_client to inspect certificate hostname, issuer, and expiry.
If a CDN is involved, compare proxied and direct-origin behavior.

How to prevent it

Track DNS changes with owner, TTL, and expected target.
Monitor certificate expiry before renewal windows close.
Keep CDN SSL mode and origin certificate configuration documented.

Diagnostic flow for this page

Match self signed certificate in certificate chain exactly before applying the quick fix.
Compare the failing environment with SSL/TLS versions, account scope, provider settings, and deployment context.
Check the listed common causes in order, starting with the cause that best matches your logs.
Use the evidence status below to decide whether to confirm against public sources or official documentation.
Apply one reversible change, rerun the smallest failing action, and keep rollback notes.

FAQ

What does self signed certificate in certificate chain mean in SSL/TLS?

self signed certificate in certificate chain indicates the workflow described by "SSL self signed certificate in certificate chain" failed in a SSL/TLS context. Start by confirming the exact signature and the component that emitted it.

What should I check first for self signed certificate in certificate chain?

Check whether this cause matches your environment: Corporate proxy intercepts HTTPS traffic

Is the self signed certificate in certificate chain guidance source-backed?

The "SSL self signed certificate in certificate chain" page is labeled partial source. It has 1 public source URL from example.com, so use that evidence status when deciding how much additional verification you need.

When should I avoid the quick fix for self signed certificate in certificate chain?

For "SSL self signed certificate in certificate chain", avoid applying "Install the trusted root certificate and configure the affected tool to use the correct CA bundle." when the error text differs, the affected version or provider is different, or the change would touch credentials, billing, DNS, production deploy settings, or irreversible data.

What should I collect before debugging self signed certificate in certificate chain?

For "SSL self signed certificate in certificate chain", collect the failing SSL/TLS command or request, non-secret configuration, versions, timestamps, request IDs when available, and the smallest reproduction that still triggers the signature.