Postman TLS setup for Sage X3 GraphQL (CA chain)
Less than to read
Use this when Postman (or curl or node) shows TLS errors such as “Self-signed certificate in certificate chain” or “unable to verify the first certificate”.
Why this error occurs
- Your client does not trust the endpoint’s certificate chain (missing intermediate or root CA). You need to concatenate a root and intermediate certificate.
Steps
1) Download CA certs (GoDaddy)
- Root: https://certs.godaddy.com/repository/gdroot-g2.crt
- Intermediate: https://certs.godaddy.com/repository/gdig2.crt.pem
2) Build a chain file
```bash
cat gdig2.crt.pem gdroot-g2.crt > gdchain-g2.pem
```
3) Verify with OpenSSL
```bash
openssl s_client -connect <host>:<port> -CAfile ./gdchain-g2.pem </dev/null
```
Expected: no “unable to verify” errors.
4) Configure Postman
- Open Settings > Certificates.
- In “CA Certificates”, Add and select `gdchain-g2.pem`.
- Ensure it applies to your domain:port and is enabled.
- Retry your request.
Alternatively
Optionally, it’s possible instead to set the certificates in node.js or inside an Ubuntu trust store. Here’s how:
For Node.js:
```bash
export NODE_EXTRA_CA_CERTS=/absolute/path/gdchain-g2.pem
node app.js
```
For Ubuntu trust store inside containers/VMs:
```bash
sudo install -m 0644 gdchain-g2.pem /usr/local/share/ca-certificates/gdchain-g2.crt
sudo update-ca-certificates
```
General Notes
- Only trust CA bundles you control and understand.
- For GraphQL auth, first create a Connected application in Sage X3, then request a JWT bearer token and send it in
Authorization: Bearer <token>headers. See the GraphQL Quick Start and Authentication guides.