Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain”
Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain” When making an API request from a Node.js client to a server that enforces mutual TLS (mTLS) , you might encounter this error: [cause]: Error: self-signed certificate in certificate chain at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34) at TLSSocket.emit (node:events:518:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at ssl.onhandshakedone (node:_tls_wrap:864:12) { code: 'SELF_SIGNED_CERT_IN_CHAIN' } Understanding the Issue This error typically occurs when the client cannot fully verify the server’s certificate chain. In mTLS, both client and server need to trust each other’s root CA certificates. If any root in the chain is missing from the client’s CA bundle, the handshake fails. Step 1: Inspect the Server Certificate Chain You can use OpenSSL to see the full server chain: openssl s_client -connect server.example.com:443 -showcerts This will display all ce...