axioserror self-signed certificate means Node refused a TLS cert it does not trust, so fix trust by using a valid chain or adding the right CA.
What Triggers Axioserror Self-Signed Certificate
When Axios talks to an HTTPS endpoint, Node checks the TLS certificate chain against trusted certificate authorities. A self-signed certificate, or a certificate issued by an unknown internal authority, sits outside that trust list. Node treats that as risky and raises a TLS error, and Axios wraps that lower level problem as the familiar self-signed certificate error.
Most developers meet this message while calling local APIs, staging servers, corporate backends, or devices with ad hoc HTTPS setups. In these cases the service might work as intended, yet the TLS layer still fails trust checks. The goal is not to silence the warning at any cost, but to help Node understand which certificates you truly trust in a controlled way.
Axios relies on the underlying Node HTTPS stack. That means configuration differences between local machines, containers, and production servers change how often this TLS problem appears. Outdated system trust stores, custom Node builds, or intercepting proxies can turn a once clean request into a stream of self-signed errors.
Quick Checks Before You Change Code
Before you add flags or hide checks, confirm that the target server is the one you expect and that the TLS certificate matches that host. A few minutes of checking saves long debugging sessions later.
- Confirm The Hostname — Open the HTTPS URL in a browser and see which hostname the browser reports for the certificate. If the common name or subject alternative name does not match, fix DNS or the certificate first.
- Check The Expiry Date — Make sure the certificate has not expired. If it has, renew and redeploy the certificate instead of weakening client checks.
- Inspect The Issuer — See whether the issuer is a known internal authority, a development tool, or a hand-made self-signed cert. This shapes how you add trust on the client side.
- Compare With Another Client — Run the same request with curl or another HTTP tool. If both curl and Axios fail with the same trust message, the root cause sits on the TLS side, not inside your Axios setup.
Once you know that the endpoint and certificate look expected, you can choose a fix that lines up with your security rules. In most teams that means adding the right certificate authority to the trust store or switching to a certificate issued by a public authority for any public facing host.
Safe Ways To Trust A Self-Signed Certificate
Many guides jump straight to disabling checks with runtime flags. That might unblock a local test once, yet it weakens HTTPS in that process. Safer patterns expand trust in narrow, explicit steps instead.
Install A Local Certificate Authority
A common pattern is to create an internal certificate authority, issue server certificates from it, and add that authority to trusted roots on development and staging machines. Tools like mkcert and corporate PKI stacks follow this shape. Node then accepts those certificates without extra flags, and Axios benefits from the same trust chain.
- Create Or Locate Your Ca — Use your security team's internal authority or create a small CA with a tool that suits your stack.
- Issue A Server Certificate — Generate a certificate for the exact hostname your Axios code calls, including subject alternative names for all hostnames in use.
- Install The Ca In The System Store — Add the CA certificate to the trust store of your operating system and, if needed, to browsers and dev containers.
When this setup is in place, the server presents a certificate chained to your CA, the client trusts that CA, and the self-signed certificate warning disappears without any client code change.
Pass A Custom Ca To Axios
If you cannot alter the system trust store, you can point a given Axios instance at a custom CA bundle instead. Node's HTTPS agent accepts a ca option, which you can feed with the PEM contents of the internal authority. Axios lets you attach that agent per instance or per request.
const fs = require("fs");
const https = require("https");
const axios = require("axios");
const ca = fs.readFileSync("./internal-ca.pem");
const agent = new https.Agent({
ca,
rejectUnauthorized: true,
});
const client = axios.create({
httpsAgent: agent,
});
client.get("https://internal-api.local/data");This pattern isolates trust changes to the requests that need them. Other Axios clients in the same process still rely on the standard trust store, so a misstep in one configuration does not weaken the entire application.
Fixing Axios Self-Signed Certificate Errors In Node
This error often appears because Node rejects the certificate during the TLS handshake. Axios then throws a generic error object with a code and message from the underlying socket. If you add logging of error.code and error.message, you can confirm that the TLS layer is the source.
Another handy route is to test the same TLS handshake outside your app. Run openssl s_client against the host and port, read the full certificate chain, and see which part fails. Node can also show TLS debug output when you set NODE_DEBUG=tls before running a script. These tools give you a clear picture of issuers, protocols, and ciphers before you change any Axios code, so you know whether to fix the server, add a trusted authority, or tweak client settings. You then avoid random guesswork inside Axios and fix the real TLS cause early.
One tempting workaround is to create an HTTPS agent with rejectUnauthorized set to false or to flip the NODE_TLS_REJECT_UNAUTHORIZED flag to 0. Both approaches tell Node to accept any certificate, even one that an attacker controls. That might feel harmless on a local laptop, yet the pattern tends to leak into scripts, containers, and even production code over time.
- Avoid Global Flags — Stay away from NODE_TLS_REJECT_UNAUTHORIZED=0 in config files, shell profiles, or process managers.
- Prefer Per-Agent Settings — If you must relax checks for a narrow case, build a dedicated HTTPS agent and attach it only to known internal endpoints.
- Log Certificate Details — When a request fails, log the peer certificate subject and issuer so you see exactly which endpoint caused the error.
A safer intermediate option relies on strict pinning. You can fetch the expected certificate in advance, compute a fingerprint, and compare that hash inside a custom check before you accept the TLS session. That way even when a certificate is self-signed, your code still verifies that it matches the version you trust. That habit keeps your logs readable.
Handling Axios Self-Signed Certs In Frontend Apps
Browser based Axios usage sits under the browser's TLS rules. The axioserror self-signed certificate message rarely appears in frontend logs, because the browser itself blocks the request before JavaScript code runs. Instead, users see a warning page when the site uses a self-signed or broken certificate, and the Axios call never starts.
For frontend setups, the clean path is to fix TLS at the server or proxy layer. That means using a public certificate from a provider like Let's Encrypt on any host reached by real users. Local React or Vue dev servers often sit behind tools that generate local HTTPS certificates. In that case, guide team members through installing the matching local authority into their trust store instead of shipping weaker client code.
- Use Public Certs For User Traffic — Any domain that real users hit through a browser should rely on a trusted public certificate chain.
- Keep Dev And Staging Separate — Use internal authorities and staged hostnames for nonproduction hosts so you can manage TLS without touching public DNS.
- Watch Browser Console Output — When Axios calls fail in a browser, read the console and network panel to see whether TLS or CORS rules blocked the request.
This split keeps browser based Axios traffic simple while giving teams flexibility on internal networks and machine only APIs.
Security Pitfalls To Avoid With Self-Signed Certs
Any change that turns off TLS checks for every host in a process opens the door to man in the middle attacks. A shared script, a copied shell snippet, or a sample project with relaxed settings can spread much further than the first developer planned.
Clear rules help keep that risk under control. Teams that document which hosts use self-signed certificates, where internal authorities live, and how to manage keys reduce guesswork for new members. Clear documentation also keeps people from copying unsafe snippets from chat threads into long lived services.
- Keep Private Keys Safe — Store private keys for internal authorities and servers in controlled secret stores, not in repositories or shared folders.
- Rotate Certificates On A Schedule — Set calendar reminders or automation so expiring internal certificates do not surprise you during a deploy.
- Review Sample Code — Clean up old demo scripts that set rejectUnauthorized to false or bend TLS checks for quick tests.
- Align With Security Teams — When in doubt about a TLS change, ask the security group that owns internal PKI or network policy.
Over time, these habits turn this self-signed certificate error from a mysterious edge case into a clear signal that guides your next step. Each alert becomes a nudge to tune trust stores, certificate lifecycles, or internal documentation instead of a reason to relax TLS across the board.
Troubleshooting Table And Final Checks
The table below links common symptoms around this error with concrete checks you can run in a few minutes.
| Symptom | Likely Cause | What To Try |
|---|---|---|
| Self-signed error only on one machine | Local trust store missing internal CA | Add the CA certificate on that machine or pass a custom CA to Axios. |
| Browser works, Axios in Node fails | System store differs from Node trust list | Export CA from system store and point the Node HTTPS agent at that bundle. |
| Error started after proxy change | New proxy inspects TLS and reissues certs | Add proxy CA to trusted roots or adjust routes so Axios talks directly to the target host. |
| Error started after certificate renewal | New certificate missing hostnames or wrong issuer | Reissue with correct subject names and chain, then redeploy. |
Before you close the ticket or commit a change, run through a short end to end test. Call the target API from a clean machine, confirm that the TLS padlock appears in the browser, then run your Axios code in the same network. That blend of checks helps prove that you fixed the trust path, not just this one stack.
In the long run, teams that treat this self-signed certificate error as a useful signal end up with cleaner certificates, clearer trust chains, and fewer delays during feature work. Each time this error shows up, use it as a chance to align your HTTPS setup with how your tools expect TLS to behave.