SSL: CERTIFICATE_VERIFY_FAILED
Error: unable to verify the first certificate
SSL_ERROR_HANDSHAKE_FAILURE_ALERT
UNABLE_TO_VERIFY_LEAF_SIGNATUREThe SSL/TLS handshake between your client and the server failed. Usually a certificate issue.
Fix 1: Expired Certificate
# Check when the certificate expires
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Renew with Let's Encrypt
sudo certbot renew
sudo systemctl reload nginxFix 2: Self-Signed Certificate in Development
// ❌ Quick hack (NEVER in production)
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
// ✅ Add the CA certificate
const https = require('https');
const agent = new https.Agent({
ca: fs.readFileSync('/path/to/ca-cert.pem'),
});
axios.get('https://localhost:3000', { httpsAgent: agent });# Python
import requests
requests.get('https://localhost:3000', verify='/path/to/ca-cert.pem')Fix 3: Missing Intermediate Certificate
The server isn’t sending the full certificate chain.
# Check the chain
openssl s_client -connect example.com:443 -showcerts
# Nginx — include the full chain
ssl_certificate /etc/ssl/fullchain.pem; # Not just cert.pem
ssl_certificate_key /etc/ssl/privkey.pem;Fix 4: TLS Version Mismatch
# Server only supports TLS 1.2+ but client is using TLS 1.0
# Force TLS 1.2
curl --tlsv1.2 https://example.com
# Python
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.minimum_version = ssl.TLSVersion.TLSv1_2Fix 5: Wrong Hostname (SNI Mismatch)
# ❌ Certificate is for example.com but you're connecting to 10.0.0.1
curl https://10.0.0.1 # 💥 Hostname mismatch
# ✅ Use the correct hostname
curl https://example.com
# Or specify SNI manually
curl --resolve example.com:443:10.0.0.1 https://example.comFix 6: Outdated CA Certificates
# Update system CA certificates
# Ubuntu/Debian
sudo apt update && sudo apt install ca-certificates
sudo update-ca-certificates
# CentOS/RHEL
sudo yum update ca-certificates
# Python
pip install --upgrade certifi