A New Collection of Thoughtful Learning Apps — Now Available on iOS & Android

By -
Image
I’m excited to share a set of mobile apps I’ve recently completed and published on both the Google Play Store and the Apple App Store. These apps are designed with a simple goal in mind: to make meaningful, structured content more accessible, whether you’re studying theology or improving your English vocabulary. 📱 Now Available on Both Platforms All apps are live and available for download: Google Play Developer Page: https://play.google.com/store/apps/dev?id=5835943159853189043 Apple App Store Developer Page: https://apps.apple.com/ca/developer/q-z-l-corp/id1888794100 📖 Theology & Confession Study Apps For those interested in Reformed theology and classical Christian teachings, I’ve developed a series of apps that present foundational texts in a clean, focused reading format: The Belgic Confession Canons of Dort Heidelberg Catechism Westminster Shorter Catechism Each app is designed to provide a distraction-free experience, making it easier to read, reflect, and revisit these im...
Post a Comment

Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain”

By -

Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain”



When making an API request from a Node.js client to a server that enforces mutual TLS (mTLS), you might encounter this error:

[cause]: Error: self-signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)
    at TLSSocket.emit (node:events:518:28)
    at TLSSocket._finishInit (node:_tls_wrap:1078:8)
    at ssl.onhandshakedone (node:_tls_wrap:864:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

Understanding the Issue

This error typically occurs when the client cannot fully verify the server’s certificate chain. In mTLS, both client and server need to trust each other’s root CA certificates. If any root in the chain is missing from the client’s CA bundle, the handshake fails.

Step 1: Inspect the Server Certificate Chain

You can use OpenSSL to see the full server chain:

openssl s_client -connect server.example.com:443 -showcerts

This will display all certificates sent by the server, including intermediate and root certificates. Check if the root CA is included in your client ca.pem file.

Step 2: Enable Node.js TLS Debug Logging

To get more insight into the TLS handshake in Node.js, enable debug logs:

NODE_DEBUG=tls,https,net node app.js

This can help identify which certificate is causing the verification failure.

Step 3: Verify mTLS Requirements

  • Both client and server must trust each other’s root CA chains.
  • If any root certificate is missing, the TLS handshake fails.
  • This applies to Node.js clients as well as Spring Boot or other server-side clients.

Step 4: Apply the Fix

In my case, the client CA bundle (ca.pem) was missing one root CA from the server chain. Adding that root certificate resolved the handshake issue immediately:

cat server_root_ca.pem >> ca.pem

After updating the CA bundle, the Node.js client successfully established an mTLS connection with the server.

Key Takeaways

  1. Always verify the server certificate chain with OpenSSL before troubleshooting mTLS issues.
  2. Enable NODE_DEBUG=tls,https,net for detailed handshake logs in Node.js.
  3. Ensure that both client and server trust each other’s root CAs for mTLS.
  4. This debugging pattern works for other clients, including Spring Boot apps.

Following these steps can save hours of frustration when dealing with self-signed certificate errors in mTLS environments.

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular Posts

2026 Begins: Choosing to Stay on the Path as a Blogger

By -
Image
  Today is January 1st, 2026 . Before rushing into new goals, I spent some time looking back at the past 12 months of data for this blog — the quiet numbers that tell a very honest story. Looking Back at the Numbers Over the past year: 📈 Total views: ~44,600 👀 Daily average visits: ~200 💬 Comments: 19 💰 AdSense income: about $0.01 per month At first glance, these numbers may look small — especially the income. But when I zoom out, I see something more meaningful. This blog has been quietly read every single day . No viral posts. No aggressive promotion. No paid traffic. Just consistent readers arriving through search, bookmarks, and curiosity. That consistency matters. What the Traffic Graph Tells Me The graph over the last 12 months shows something important: Early months were quiet and uneven Mid-year brought steady growth Toward the end of the year, traffic became more stable , with clear spikes when certain posts resonated This tell...
Read more

Health Checks and Scaling Strategies for Next.js in Kubernetes

By -
Image
Health Checks and Scaling Strategies for Next.js in Kubernetes This is Part 6 and the final post of the series: Self-Hosting Next.js in Kubernetes (Without Vercel) . At this point, your Next.js standalone app: Builds cleanly Runs in a minimal Docker image Deploys correctly on Kubernetes / OpenShift Serves static assets properly Uses runtime configuration and secrets Now let’s make it resilient and scalable . Why Health Checks Matter Kubernetes relies on health checks to: Know when a pod is ready to receive traffic Restart unhealthy containers Safely roll out new versions Without proper probes, traffic can be sent to a pod that isn’t ready yet. Readiness Probe A readiness probe tells Kubernetes: “This pod can accept traffic.” For most Next.js apps, the root path works well: readinessProbe: httpGet: path: / port: 3000 initialDelaySeconds: 10 periodSeconds: 5 If your app depends on downstream services (APIs, d...
Read more