Solving the “SELF_SIGNED_CERT_IN_CHAIN” Error for Playwright in macOS
When installing browser drivers with Playwright (Chromium, Firefox, WebKit) on macOS, you might encounter the following error:
/opt/homebrew/Cellar/openjdk/21.0.2/libexec/openjdk.jdk/Contents/Home/bin/java -ea -Didea.test.cyclic.buffer.size=1048576 -javaagent:/Applications/IntelliJ IDEA
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Downloading Webkit 18.0 (playwright build v2083) from https://playwright.azureedge.net/builds/webkit/2083/webkit-mac-15-arm64.zip
Error: self-signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1076:8)
at ssl.onhandshakedone (node:_tls_wrap:862:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}This error typically occurs due to SSL/TLS issues with the self-signed certificate in the chain. In such cases, the workaround is to bypass SSL certificate validation by setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to 0. However, this should only be used temporarily for the installation process, as it bypasses security checks.
Steps to Resolve
- Check the Current State of
NODE_TLS_REJECT_UNAUTHORIZED - Before setting the variable, check if it is already configured:
echo $NODE_TLS_REJECT_UNAUTHORIZEDIf the output is empty or shows a value other than 0, proceed to the next step.
Temporarily Set NODE_TLS_REJECT_UNAUTHORIZED to 0This disables the TLS certificate validation, allowing the download to proceed despite the self-signed certificate:
export NODE_TLS_REJECT_UNAUTHORIZED=0Download the Browsers
Now, you can run the command to install the browsers (Chromium, Firefox, or WebKit) using Maven:
- To install Chromium:
mvn exec:java -e -Dexec.mainClass=com.microsoft.playwright.CLI -Dexec.args="install chromium"To install Firefox:
mvn exec:java -e -Dexec.mainClass=com.microsoft.playwright.CLI -Dexec.args="install firefox"To install WebKit:
mvn exec:java -e -Dexec.mainClass=com.microsoft.playwright.CLI -Dexec.args="install webkit"Revert the Change After Installation
Once the browsers have been installed, immediately revert the NODE_TLS_REJECT_UNAUTHORIZED setting to restore the default security behavior:
unset NODE_TLS_REJECT_UNAUTHORIZEDYou can verify that the variable has been removed by running:
echo $NODE_TLS_REJECT_UNAUTHORIZEDIf no output is displayed, it has been successfully unset.
Risks of Disabling TLS Certificate Validation
While setting NODE_TLS_REJECT_UNAUTHORIZED=0 temporarily allows you to bypass certificate validation, it is risky as it:
- Exposes you to security threats, such as man-in-the-middle (MITM) attacks, because it allows the system to accept insecure certificates.
- Disables SSL/TLS security checks for any operation relying on this setting.
Therefore, always revert this change immediately after completing the download to ensure that your system maintains secure communication for future connections.
Conclusion
This workaround helps bypass the “self-signed certificate” issue when installing Playwright browsers on macOS, but it should be used cautiously and only temporarily. Always reset the environment variable as soon as possible to ensure your system remains secure.
Alternatives to install browsers
You can use homebrew. Prerequisites: Homebrew must be installed.
Install Chromium:
brew install --cask chromiumInstall Firefox:
brew install --cask firefoxInstall Webkit:
brew install --cask safariIn Homebrew, — cask is a command option used to install macOS applications, such as browsers, that are distributed as precompiled binaries (typically .app files) rather than command-line tools.
What — cask Does:
It installs graphical applications (like Chromium, Firefox, or Safari) to the /Applications directory on macOS.
It is specifically used for cask formulas in Homebrew, which are different from standard command-line tools.
