How to fix error: self-signed certificate in certificate chain when connect to Azure Cosmos DB for MongoDB account from local

Question

How to fix error: self-signed certificate in certificate chain when connect to Azure Cosmos DB for MongoDB account from local

Mattanapol Konguthaikul (TH) 20

Hi,

I try to connect to Azure Cosmos DB for MongoDB account from local machine.

I use typescript library mongoose to connect to it.

This is an error

TopologyDescription {
  type: 'Unknown',
  servers: Map(1) {
    'seztpedcadcos002.mongo.cosmos.azure.com:10255' => ServerDescription {
      address: 'seztpedcadcos002.mongo.cosmos.azure.com:10255',
      type: 'Unknown',
      hosts: [],
      passives: [],
      arbiters: [],
      tags: {},
      minWireVersion: 0,
      maxWireVersion: 0,
      roundTripTime: -1,
      minRoundTripTime: 0,
      lastUpdateTime: 689051642,
      lastWriteDate: 0,
      error: [MongoNetworkError: self-signed certificate in certificate chain] {
        errorLabelSet: Set(1) { 'ResetPool' },
        beforeHandshake: false,
        [cause]: [Error: self-signed certificate in certificate chain] {
          code: 'SELF_SIGNED_CERT_IN_CHAIN'
        }
      },
      topologyVersion: null,
      setName: null,
      setVersion: null,
      electionId: null,
      logicalSessionTimeoutMinutes: null,
      maxMessageSizeBytes: null,
      maxWriteBatchSize: null,
      maxBsonObjectSize: null,
      primary: null,
      me: null,
      '$clusterTime': null,
      iscryptd: false
    }
  },
  stale: false,
  compatible: true,
  heartbeatFrequencyMS: 10000,
  localThresholdMS: 15,
  setName: null,
  maxElectionId: null,
  maxSetVersion: null,
  commonWireVersion: 0,
  logicalSessionTimeoutMinutes: null
}

Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-12T05:57:18.7466667+00:00
Hi Mattanapol Konguthaikul (TH)

Greetings!

As we understand that, you are having trouble connecting to your Azure Cosmos DB for MongoDB from your local machine due to a "self-signed certificate in certificate chain" error. This typically happens when the client you're using (in this case, mongoose with TypeScript) is unable to verify the SSL certificate being used.

Here’s what you can try to resolve this issue:

Install the Cosmos DB Emulator Certificate: First, if you haven’t already, you’ll need to download and install the TLS/SSL certificate from the Azure Cosmos DB emulator. You can fetch the certificate by running:

curl --insecure https://localhost:8081/_explorer/emulator.pem -o ~/emulatorcert.crt

Then, import this certificate to your trust store. On Windows, you can use:

certutil -f -addstore "Root" ~/emulatorcert.crt

Disable Certificate Validation (for Development Purpose Only): As a temporary solution (not recommended for production), you can disable SSL certificate validation in your mongoose connection options. Here’s how:

mongoose.connect('mongodb://your-connection-string', { ssl: true, sslValidate: false, });

Ensure Correct Node.js Version: Make sure you’re using a compatible version of Node.js, as older versions may have bugs or issues with TLS/SSL.

Check for Multiple Java Versions: If you are using Java in your setup, ensure that the certificate is imported in the correct Java version's trust store.

Additional Mongoose Options: You can also try adding other options while connecting, such as:

mongoose.connect('mongodb://your-connection-string', { useNewUrlParser: true, useUnifiedTopology: true, });

I hope this information helps. Please do let us know if you have any further queries.
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-12T09:14:45.61+00:00

** deleted
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-12T09:17:41.9+00:00

@Vijayalaxmi Kattimani Thank you for your reply. I have already install certificate from the emulator as you suggest but still get the same error.
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-13T03:46:03.4333333+00:00

Seem like my company network blocking port 10255.

Is it possible to configure the service to use another port?
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-16T03:32:56.6833333+00:00
Hi Mattanapol Konguthaikul (TH)

I would like to inform you that, please ensure the new port (e.g., 65200) is open on your company’s firewall.

To address your question about configuring the service to use another port, the Azure Cosmos DB emulator allows you to specify a different port when you start it. You can run the emulator with a command that defines a different MongoDB port.

For example, you can use the following command to change the port:

Microsoft.Azure.Cosmos.Emulator.exe /EnableMongoDbEndpoint=4.0 /MongoPort=65200

This command will start the emulator and listen on port 65200 instead of the default port 10255. Make sure to adjust your connection string in your application accordingly to reflect this new port.

After changing the port, ensure that the appropriate certificates are imported to your trust store as you did previously. This should help you establish a connection without hitting the blocked port.
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-17T01:00:15.9233333+00:00

Hi Mattanapol Konguthaikul (TH)

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-18T01:26:44.6533333+00:00

Hi Mattanapol Konguthaikul (TH)

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.

1 answer

Your answer

Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-12T05:57:18.7466667+00:00

Hi Mattanapol Konguthaikul (TH)

Greetings!

As we understand that, you are having trouble connecting to your Azure Cosmos DB for MongoDB from your local machine due to a "self-signed certificate in certificate chain" error. This typically happens when the client you're using (in this case, mongoose with TypeScript) is unable to verify the SSL certificate being used.

Here’s what you can try to resolve this issue:

Install the Cosmos DB Emulator Certificate: First, if you haven’t already, you’ll need to download and install the TLS/SSL certificate from the Azure Cosmos DB emulator. You can fetch the certificate by running:

curl --insecure https://localhost:8081/_explorer/emulator.pem -o ~/emulatorcert.crt

Then, import this certificate to your trust store. On Windows, you can use:

certutil -f -addstore "Root" ~/emulatorcert.crt

Disable Certificate Validation (for Development Purpose Only): As a temporary solution (not recommended for production), you can disable SSL certificate validation in your mongoose connection options. Here’s how:

mongoose.connect('mongodb://your-connection-string', { ssl: true, sslValidate: false, });

Ensure Correct Node.js Version: Make sure you’re using a compatible version of Node.js, as older versions may have bugs or issues with TLS/SSL.

Check for Multiple Java Versions: If you are using Java in your setup, ensure that the certificate is imported in the correct Java version's trust store.

Additional Mongoose Options: You can also try adding other options while connecting, such as:

mongoose.connect('mongodb://your-connection-string', { useNewUrlParser: true, useUnifiedTopology: true, });

I hope this information helps. Please do let us know if you have any further queries.
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-12T09:14:45.61+00:00

** deleted
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-12T09:17:41.9+00:00

@Vijayalaxmi Kattimani Thank you for your reply. I have already install certificate from the emulator as you suggest but still get the same error.
Mattanapol Konguthaikul (TH) 20 Reputation points

2025-06-13T03:46:03.4333333+00:00

Seem like my company network blocking port 10255.

Is it possible to configure the service to use another port?
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-16T03:32:56.6833333+00:00

Hi Mattanapol Konguthaikul (TH)

I would like to inform you that, please ensure the new port (e.g., 65200) is open on your company’s firewall.

To address your question about configuring the service to use another port, the Azure Cosmos DB emulator allows you to specify a different port when you start it. You can run the emulator with a command that defines a different MongoDB port.

For example, you can use the following command to change the port:

Microsoft.Azure.Cosmos.Emulator.exe /EnableMongoDbEndpoint=4.0 /MongoPort=65200

This command will start the emulator and listen on port 65200 instead of the default port 10255. Make sure to adjust your connection string in your application accordingly to reflect this new port.

After changing the port, ensure that the appropriate certificates are imported to your trust store as you did previously. This should help you establish a connection without hitting the blocked port.
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-17T01:00:15.9233333+00:00

Hi Mattanapol Konguthaikul (TH)

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2025-06-18T01:26:44.6533333+00:00

Hi Mattanapol Konguthaikul (TH)

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.

Answer 1

Hi Mattanapol Konguthaikul (TH)

Since you have already installed the certificate from the emulator but are still facing the error, here are a few additional things you can try:

Double-check that the certificate is correctly installed in your OS's trust store. If you're on Windows, ensure it's listed under the "Trusted Root Certification Authorities". You can use the certlm.msc tool to verify this.

Make sure you’re running an up-to-date version of Node.js. If you're using an older version, consider updating it, as there may be fixes related to SSL/TLS connections in newer releases.

In your mongoose connection string, make sure you include the necessary options as follows:

mongoose.connect('mongodb://your-connection-string', {
    ssl: true,
    sslValidate: true,
    sslCA: [fs.readFileSync('path_to_your_cert.pem')],
    useNewUrlParser: true,
    useUnifiedTopology: true,
});

Adjust the path to your PEM certificate as necessary.

If you are still having trouble, you might want to set environment variables which may help with certificate validation:

export NODE_TLS_REJECT_UNAUTHORIZED=0

(Note: This disables SSL validation and is not recommended for production environments. Only use for testing purposes.)

Ensure that there's no firewall or proxy blocking your connection. Sometimes, network configurations can interfere with SSL handshakes.

I request you click on this link for additional information https://learn.microsoft.com/en-us/azure/cosmos-db/emulator?tabs=ssl-netstd21#import-certificate

I hope this information helps. Please do let us know if you have any further queries.

Share via

How to fix error: self-signed certificate in certificate chain when connect to Azure Cosmos DB for MongoDB account from local

1 answer

Your answer