Unable to verify the first certificate

[gduh]

Describe the bug

When I try to send a HTTPS POST request from a desktop (Servers are in production environment) the following message is displayed inside the console :

Error: unable to verify the first certificate

To Reproduce

Steps to reproduce the behavior:

1. POST request using HTTPS
2. Authorization Type : Basic Auth (including Username and Password)
3. Headers :
   • Content-Type application/x-www-form-urlencoded
   • Accept application/json
4. Body, including some parameters
5. Send request and get the error message instead of the server's response

App information (please complete the following information):

Postman for Mac Version 6.7.4 OS X 18.2.0 / x64

Additional context

If I try to send the same request with the same Headers, Authorization, Body... with CURL, I get the right response, moreover CURL verifies the certificate as valid.

[codenirvana]

@gduh Looks like the server certificate is somehow invalid and it's not possible to debug the root cause from the details you provided.

So, quick sanity to make sure this issue is related to SSL/TLS, try sending the request with the "SSL certificate verification" option disabled. (Settings -> General -> Request)

If the server requires client certificates to be sent with the request, configure appropriate client certificates. (Settings -> Certificates -> Client Certificates)

And if you are trying to request an untrusted host (e.g, localhost) add the CA certificate of the server. (Settings -> Certificates -> CA Certificates)

Also, check if there's any warning/debug message when you make the request using curl with the -v flag.

Note: Update your Postman app to latest (v7.0.9)

[gduh]

@codenirvana With the option "SSL certificate verification" disabled the request is ok and the answer corresponds to the expected result.

As mentioned in my first message, if I make the request using curl (with -v flag) not only the answer is OK, but also, curl says that SSL certificat verify ok and domain name matches certificate without any warning or issue !

In the same way, If I send the same request, using java code, it's OK !

[gduh]

I update my Postman to latest, but it's the same. If it can help you to investigate further, I can send you more information about the request but only in private, for that I need to create you an account in our server. Just tell me.

[gduh]

On the server, there is no intermediate certificate, could that be an issue with Postman ?

[vol24pl]

I'm having the same issue.

Env: MacOS Mojave 10.14.5 (18F132)

Simple dotnet core webApi on localhost:

dotnet new webapi

certificates are added:

$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.

GET: https://localhost:5001/api/items

On Postman Console: Error: unable to verify the first certificate On Safari: Works, displays expected JSON.

After: Postman -> Preferences -> General -> SSL certificate validation -> OFF it works

[schinivision]

Using Postman v7.2.0 I also have this problem.... Error: unable to verify the first certificate

Server Certificate is valid and can be verified... (by chrome for example) could it be that Postman only supports certificates that are delivered with the whole chain?

Setup is: GCP HTTPS Forwarding rule -> https proxy (terminate ssl) -> Loadbalancer -> Service

[jkshan]

Any update on this issue, I'm facing this for service hosted under Digitcert with EV.

[AsimShakour]

I'm having the same issue.

Env: MacOS Mojave 10.14.5 (18F132)

Simple dotnet core webApi on localhost:

dotnet new webapi

certificates are added:

$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.

GET: https://localhost:5001/api/items

On Postman Console: Error: unable to verify the first certificate On Safari: Works, displays expected JSON.

After: Postman -> Preferences -> General -> SSL certificate validation -> OFF it works

Thank you @vol24pl that worked ^

[gblikas]

I am still having this problem. Is it possible that it also depends on the type of SSL Certificate installed on the server?

[gblikas]

@gduh So, solved it for the server I was trying to contact. You are correct, the intermediary certificates need to be in place.

Notes

Sites like https://www.namecheap.com/, often send the .crt files and the intermediaries separate. You should append all of them together, and re-deploy your server, in order to correct this problem.

In general, I think the error returned by PostMan, Error: unable to verify the first certificate is suitable, however, once SSL verification is off, SSL certificate verify ok is probably a misnomer and should be replaced with something else.

[patrickHub]

@codenirvana With the option "SSL certificate verification" disabled the request is ok and the answer corresponds to the expected result.

As mentioned in my first message, if I make the request using curl (with -v flag) not only the answer is OK, but also, curl says that SSL certificat verify ok and domain name matches certificate without any warning or issue !

In the same way, If I send the same request, using java code, it's OK !

It work for me thanks

[atulsinha7]

I'm having the same issue.

Env: MacOS Mojave 10.14.5 (18F132)

Simple dotnet core webApi on localhost:

dotnet new webapi

certificates are added:

$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.

GET: https://localhost:5001/api/items

On Postman Console: Error: unable to verify the first certificate On Safari: Works, displays expected JSON.

After: Postman -> Preferences -> General -> SSL certificate validation -> OFF it works

Thanks. worked like a charm 👌

[joelrevans]

I am having this issue with requests to all hosts, even to google. The following is a console error in response to a basic request to https://google.com. Ironically the request to http://google.com does not have this error.

Disabling the SSL certificate validation prevents this error.

[archfish]

This is caused by the order in which the certificates are merged. You should put domain certificate before the bundle.

like :

cat domain.my.crt bundle.crt > domain.my.chained.crt

Hope help!

[bernardodesousa]

@archfish This is happening to me with a certificate made by the certbot program, by Let's Encrypt. The bot creates the chainkey.pem to me. I didn't cat them together.

If I simply open the chain with a text editor and swap the two certs inside, the server (Daphne in my case) complains the private key doesn't match the chain and exits.

I suspect the order is correct in my case, since my chain was created by certbot. Any thoughts on other things that can cause the same error?

[archfish]

@archfish This is happening to me with a certificate made by the certbot program, by Let's Encrypt. The bot creates the chainkey.pem to me. I didn't cat them together.

If I simply open the chain with a text editor and swap the two certs inside, the server (Daphne in my case) complains the private key doesn't match the chain and exits.

I suspect the order is correct in my case, since my chain was created by certbot. Any thoughts on other things that can cause the same error?

@bernardodesousa Sorry to hear that i have no idea.

[kenvis]

I had the same Issue I solve it going to: File->Settings->General -- SSL Certificate Verification OFF

[EngrMikolo]

@gduh Looks like the server certificate is somehow invalid and it's not possible to debug the root cause from the details you provided.

So, quick sanity to make sure this issue is related to SSL/TLS, try sending the request with the "SSL certificate verification" option disabled. (Settings -> General -> Request)

If the server requires client certificates to be sent with the request, configure appropriate client certificates. (Settings -> Certificates -> Client Certificates)

And if you are trying to request an untrusted host (e.g, localhost) add the CA certificate of the server. (Settings -> Certificates -> CA Certificates)

Also, check if there's any warning/debug message when you make the request using curl with the -v flag.

Note: Update your Postman app to latest (v7.0.9)

This worked for me. Thanks.

[MSchreijen]

I am having this exact issue. "SSL certificate validation" is turned off (I did turn it on and off a couple of times). I am developing an ASP.NET Core application, with a self signed certificate, which I have trusted in Microsoft Certification Manager.

[realFranco]

I simply add a new header:

Content-Security-Policy: upgrade-insecure-requests

In any case, the issue it is from the server side, I miss some configurations while I install the SSL certificate.

[EngrMikolo]

Thanks for the reply.

Sent from my iPad

On 1 Nov 2020, at 3:24 PM, Franco Gil notifications@github.com wrote:

 I simply add a new header:

Content-Security-Policy: upgrade-insecure-requests

In any case, the issue it is from the server side, I miss some configurations while I install the SSL certificate.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[tsarkoff]

If you have access to certificates management on your Web hosting, then instead of just root.crt - you shall assign the root-CA.crt (file) certificate, that consists of two certificates in single file = 1st intermediate cert string + 2nd root string. The 2nd cert must go after 1st one in the file starting new line w/o spaces. I had the same POSTMAN problem and after re-assigning a correct intermediate+root cert = problem disappeared w/o turning Postman's Sertificate validation option OFF. Of course, if no way to correct root-CA.crt (like Google, etc) - then that Postman's option = OFF.

[Pavesi99]

I set the startup as it is and works fine,

public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);

            services.AddControllers();
            services.AddDbContext<AppDbContext>(options => {
                options.UseInMemoryDatabase("APIBlogs-in-memory");
            });
            services.AddScoped<IUserRepository, UserRepository>();
            services.AddScoped<IUserService, UserService>();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseHttpsRedirection();
            app.UseRouting();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }

[gjd6640]

Clarifying question:

There may be multiple use-cases in play among the folks having these problems. Potential options:

• 1) My use-case: I've already configured Windows to trust my org's self-signed certificates and just want Postman to mirror Windows' CA certificate trust behaviors.
• 2) Questionable use-case / seems to be what today's functionality solves: Need is to independently specify what root certificates are to be trusted by Postman. Possibly to emulate trust circumstances that aren't present in the local OS's trust store.

Note that I'm not asserting that # 2 is a use-case that anyone actually has...

I've observed that Google Chrome uses the local OS's trust store so that is a doable thing.

Please consider reviewing the use-case(s) that drove the current implementation of Postman's CA trust functionality. You may find that simplifying the solution to address only use-case # 1 is an option.

[Udayta]

When I try to send a HTTPS POST request from a desktop (Servers are in production environment) the following message is displayed inside the con: unable to verify the first certificate

Warning: Unable to verify the first certificate Network I unable to solve it after going to: File->Settings->General -- SSL Certificate Verification OFF

[zingrx]

Here you go the solution, see step 12 [https://forums.ivanti.com/s/article/Postman-responds-to-API-calls-with-Error-Unable-to-verify-the-first-certificate?language=en_US]

[mchallenger88]

I've done all of the above including adding a cert and still get the same error:

Warning: Unable to verify the first certificate

[igor9silva]

For everyone setting SSL Certificate Verification to OFF, this is NOT a solution. You're just telling Postman to accept an insecure connection!

The root case is a misconfigured web server.

[Kirill]

@igor9silva this not misconfigured web-server. It's problem in Electron and other for root certificates witch use Let's Encrypt... Browser work with this certificates well.

[igor9silva]

@Kirill even though, turning off certificate verification isn't a solution!

The most common cause is: (from https://www.npmjs.com/package/ssl-root-cas)

[lucianobustos]

@igor9silva I know the risks and I want to connect anyway. (Is a development server). What can I do?? I'm facing this issue with Postman v9.0.5. I've installed the Self Signed Certificate and Chrome works properly. I think something is not working in postman. (also I've try to use the certs inside postman)

[igor9silva]

@lucianobustos this

I had the same Issue I solve it going to: File->Settings->General -- SSL Certificate Verification OFF

[lucianobustos]

@lucianobustos this

I had the same Issue I solve it going to: File->Settings->General -- SSL Certificate Verification OFF

Yes that options prompt automatically. I need to restart windows 😏 Thanks!

[bpetty-interlace]

Would it be possible for Postman to provide more verbose information as to why? We ran into this on a customer site and I used postman to confirm it, even though Chrome said it was a valid cert. Being a developer and not necessarily an expert in cert management, I didn't know if Postman could more eloquently state why it felt the cert was invalid so that I could bubble up more information.

[HarpreetKaur333]

I've done all of the above, still the same issue (SSL Certificate verification OFF)?

any hint please

Warning: Unable to verify the first certificate

[EngrMikolo]

try the solution here https://stackoverflow.com/questions/65793225/postman-error-unable-to-verify-the-first-certificate-when-try-to-get-from-my That worked for me

[HarpreetKaur333]

try the solution here https://stackoverflow.com/questions/65793225/postman-error-unable-to-verify-the-first-certificate-when-try-to-get-from-my That worked for me

No, it does not work for me

[TianLanSky]

unable to verify first certificate? maybe it because of that web server need to provide all the certificates in certificate chain when ssl/tls negotiation

[entc]

I have the same issue. The certificate is from a certificate organisation and it works with any other program: curl, browsers, etc... without an invalid certificate notation

[openHawkes]

There does seem to be an IIS Express specific snafu here that might need some attention. As the OP of the SO question cited here remarked (and had upvoted 29 times)...

Everywhere you pointed i have turned off SSL certificate and error still showing up, i don't understand why people giving -1 when somebody have uncommon issue.

Same deal in this thread -- [in this comment with five upvotes]() @MSchreijen mentions

I am having this exact issue. "SSL certificate validation" is turned off (I did turn it on and off a couple of times). I am developing an ASP.NET Core application, with a self signed certificate, which I have trusted in Microsoft Certification Manager.

That's the boat I'm (and apparently a number of others) are in. Sounds like it might be a certificate ordering issue?

But the bottom line is that Postman is acting more temperamentally in this situation than any of the other apps we use to access these endpoints, and that would benefit from some sleuthing, I think.

[tma-lawo]

I can't get Postman to verify my localhost dev certificate with AspNetCore backend. (Backend is running on localhost and sends the certificate. The browser has no problem with the certificate.

I obviously exported it as a .pem file and added it as a CA certificate in Postman.