NodeJS unable to read default CAs in ubuntu

StackOverflow https://stackoverflow.com/questions/20658120

  •  19-09-2022
  •  | 
  •  

Question

On our testing environment we are connecting to another server with SSL signed by our company. Every time connection is made nodejs throws UNABLE_TO_VERIFY_LEAF_SIGNATURE. I have found workarounds by setting rejectUnauthorized: false, but this is not aplicable in our case.

The certificates are added to /etc/ssl/certs and tested with the environment variable SSL_CERT_DIR to be either /etc/ssl anb /etc/ssl/certs, but no result.

Also, it is not preferable to add somewhere in our files the certificate and add it to every request.

Was it helpful?

Solution

This is because node does not use your system's CA configuration; it includes its own built-in list of acceptable CAs.

If you want a node SSL client to accept a custom CA, you have to pass the CA's certificate in the ca option.

// do something like this when your app starts up:
fs.readFile('/path/to/ca.pem', function(err, cert) {
    if (err) ...
    else certBuffer = cert;
});

// then when you make requests...
https.request({
    hostname: 'example.com',
    port: 443,
    path: '/',
    method: 'GET',
    ca: certBuffer
}, ...);

OTHER TIPS

And if you do not want to rely on node.js built-in list, and rather use your debian/ubuntu's list :

var CAs = fs.readFileSync('/etc/ssl/certs/ca-certificates.crt').toString().split(/(?=-----BEGIN CERTIFICATE-----)/);

// then when you make requests...
https.request({ ..., ca: CAs}, ...);

You can also add a path to your certificates in PEM file format using the NODE_EXTRA_CA_CERTS environment variable starting with node v7.3.0

https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

This has the benefit of not requiring any code changes, just change the environment of your node process. Hope this helps!

Edit:

Also check out --use-openssl-ca https://nodejs.org/api/cli.html#cli_use_openssl_ca_use_bundled_ca

That's what I ended up using to solve my problem. I copied my .crt files to /usr/local/share/ca-certificates then ran sudo update-ca-certificates and then run node with --use-openssl-ca and now node finds my certificates properly.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top