I'm using Axios in ReactJS to call my API that is hosted on the cloud with a self-signed certificate. The error for the request returns net::ERR_CERT_REVOKED.
I've added the self-signed code to my login keychain on MacOS running reactjs. But the cert is still getting revoked when I view the error on the logs on Chrome. On safari, the error is Failed to load resource: The certificate for this server is invalid.
try {
const response = await axios.post(
'https://1.1.1.1:3000/login',
{ withCredentials: true },
{ auth: apiAuth },
{ data: bodyFormData },
{ headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
)
return response.data;
} catch (error) {
console.log(error);
}
IP address has been changed for the question.
I've tried to use the following code in the Axios request but it doesn't help
const agent = new https.Agent({
rejectUnauthorized: false
});
Expected the server to give a response but getting cert revoked as response.
self-signed certificate ... net::ERR_CERT_REVOKED ... MacOS
You probably run into the new requirements for certificates in MacOS 10.15 and iOS 13 which seem to be enforced also for self-signed certificates. While you don't provide any details about your specific certificate I guess it is valid for more than 825 days. It might of course also be any other of the new requirements - see Requirements for trusted certificates in iOS 13 and macOS 10.15 for the details.
Related
I am using a next js node server as my app. And a ngnix as my https server with self-signed certificate in which my API node server is at behind.
But I am getting a self-signed certificate error.
So, in my next js , I will contact the https server either by fetch and axios. for example.
Is there a easy way on how to get ride of it without buying SSL from real CA?
What I have tried:
This problem couldn't be by pass thru chrome insecure content enabling since it is a server error.
I am guessing this could be achieved from either setting node server / fetch or axios. But I am so new on this kind of problem.
second update
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
works to get rid of the fetch error:
But now it shown this error with put method:
net::ERR_CERT_AUTHORITY_INVALID
What I have done is to put process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; on every api call.
For example
try {
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
const res = await axios.put(url);
} catch (error) {
console.log(error);
}
I am still looking for a solution.
Try adding httpsAgent in your fetch call
const https = require('https');
const httpsAgent = new https.Agent({
rejectUnauthorized: false,
});
const response = await fetch("https://localhost/api", {
// Adding method type
method: "POST",
// Adding body or contents to send
body: JSON.stringify(
{data:"data"}),
// Adding headers to the request
headers: {
"Content-type": "application/json; charset=UTF-8"
},
agent: httpsAgent,
})
It worked for me
I started using OAuth2 server with oidc in node js. Github link
My goal is simple, to access https://myserver/me which is UserInfo endpoint.
While trying to learn how to use the server I also used this guide enter link description here
Where I found that I could create token by sending request to endpoint /token.
Into the configuration I added this code(full server code is below):
{
client_id: 'test_oauth_app',
client_secret: 'super_secret',
grant_types: ['client_credentials'],
redirect_uris: [],
response_types: [],
}
In postman I was able to get my the access_token by this request
POST /token
Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdF9vYXV0aF9hcHA6c3VwZXJfc2VjcmV0
Body:
grant_type=client_credentials&scopes=api1
I get this as a response:
{
"access_token": "zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws",
"expires_in": 600,
"token_type": "Bearer"
}
When I checked the token by /token/introspection I found out that the token equals to jti.
So I think it actually returns token_id and by that I cannot access /me endpoint.
Here is the whole sample of server that I use:
const { Provider } = require('oidc-provider');
const configuration = {
features: {
introspection: { enabled: true },
clientCredentials: { enabled: true },
userinfo: { enabled: true },
jwtUserinfo: { enabled: true },
},
formats: {
AccessToken: 'jwt',
},
clients: [{
client_id: 'test_oauth_app',
client_secret: 'super_secret',
grant_types: ['client_credentials'],
redirect_uris: [],
response_types: []
}],
scopes: ['api1']
};
const oidc = new Provider('http://localhost:3000', configuration);
oidc.proxy = true
// express/nodejs style application callback (req, res, next) for use with express apps, see /examples/express.js
oidc.callback
// koa application for use with koa apps, see /examples/koa.js
oidc.app
// or just expose a server standalone, see /examples/standalone.js
const server = oidc.listen(3000, () => {
console.log('oidc-provider listening on port 3000, check https://localhost:3000/.well-known/openid-configuration');
});
The proxy is set to true because I have https set up on apache redirecting to this server.
I tried to change response_types, but than it required redirect_uri which I do not want to have in my scenario.
Here is the request I am trying to post it like so:
POST /me
Headers:
Content-Type: application/json
Authorization: Bearer zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws
The response:
{
"error": "invalid_token",
"error_description": "invalid token provided"
}
Did anyone have a similar problem? I found almost the same problem here
but with no solution, unfortunately.
In case someone encounters the same problem. I was able to solve it.
I did not have enough information and I did not know what client_credentials grant type does.
It actually does not authorize the user, but rather some app. So you have no info about the user, hence you cannot get data about the user through the userinfo endpoint.
So if you want to get info about the user, you probably want to use grant type authorization_code.
I found a page where a lot of things is written pretty clearly, so if you are starting with
OAuth server you might want to give this a try.
https://oauth2.thephpleague.com/authorization-server/auth-code-grant/
So I'm trying to get an access token in order to delete a user.
var options = {
method: 'POST',
url: 'https://dev-owihjaep.auth0.com/oauth/token',
headers: {'content-type': 'application/json'},
data: {
grant_type: 'client_credentials',
client_id: 'RGPTciPqTAlJSDoO3zkL4GT1HV3fsptj',
client_secret: process.env.AUTH0_CLIENT_SECRET,
audience: 'https://dev-owihjaep.auth0.com/api/v2/'
}
};
let accessTokenResponse = await axios.request(options)
It worked in localhost but for some reason for my deployed app I'm getting status: 401, statusText: 'Unauthorized' and data: { error: 'access_denied', error_description: 'Unauthorized' }. I created client grants for my client, made sure Authorized was switched for my Application in Machine to Machine Applications in Auth0 Management API settings, and made sure Client Credentials was checked for Grant Types for my Application. How I can fix this error?
I had to add my .env environment variable(process.env.AUTH0_CLIENT_SECRET) to my Heroku Config Vars.
This question already has answers here:
How to do HTTPS GET with client certificate in node
(1 answer)
Nodejs request to a web service with .p12 certificate
(2 answers)
Node.js Rest call to a server that requires a certificate
(1 answer)
Closed 3 years ago.
I'm trying to make a POST request from a Node/Express server to a ecommerce provider while authenticating with a .PEM certificate, which I converted from a .p12 file using openssl as per their instructions. The provider is supposed to return a unique transaction ID.
I've tried using the Request module as below but I'm getting a "bad certificate" error every time. I've tried with agentOptions, without agentOptions, checked the .pem file is being read correctly, etc.
Error: write EPROTO 140059546118016:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 42
const options = {
url: "https://ecommerce.com:12345/some/route",
agentOptions: {
passphrase: process.env.MY_PASSPHRASE,
ca: fs.readFileSync("./ssl/certificate.pem")
},
rejectUnauthorized: false,
form: {
amount: 100,
currency: 981
}
};
await request.post(options, (err, res, body) => {
console.log({ err, res, body });
});
I'm new to Node.js, and even newer with SSL :( apologies if I'm not explaining or understanding this correctly. Any help/direction will be much appreciated.
SOLVED
Sample working code. Using the same exact key in cert and key fields worked for some reason.
const fs = require("fs");
const request = require("request-promise");
const options = {
url: "https://provider.com:18443/some/path",
headers: {
"User-Agent": "node.js"
},
strictSSL: false,
form: {
// currency, language, provider-specific options here
},
cert: fs.readFileSync("./ssl/my_key.pem"),
key: fs.readFileSync("./ssl/my_key.pem"),
passphrase: process.env.PASSPHRASE
};
const req = await request.post(options, (err, httpResponse, body) => {
// do stuff with body here
})
Nodejs SOAP client throwing error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames:
I am trying to call a SOAP service using soap in nodejs. However I am getting error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: XXX.XXX.XXX.XXX is not in the cert's list:. I am new to nodejs and not sure how to call a SOAP service which requires certificate from nodejs. Other ways to call SOAP services requiring certificates in Nodejs are also welcome.
var url = "https://soapserviceurl?wsdl";
soap.createClient(url, function (err, client) {
if (err) {
console.log("Error Occurred!!");
console.log(err);
}
else {
console.log(client.describe());
}
});
please try
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" //this is insecure
Or:
var soap = require('soap'),
request = require('request'),
fs = require('fs');
var url = "https://soapserviceurl?wsdl";
var req = request.defaults({
strictSSL: false
);
soap.createClient(url, {
request : req
}, function(err, client) {
//your code
});
Or:
soap.createClient(url, {
request : req,
wsdl_options: {
cert: fs.readFileSync('cert/cert.pem'), //path to pem
key: fs.readFileSync('cert/cert.key'), //path to private key
rejectUnauthorized: false
}
}, function(err, client) {
//your code
});
The answer above doesn't work anymore because as of SOAP as of v0.40.0, it uses Axios for web requests, and not the request package. I couldn't find a recent answer for this and I spent a while figuring it out.
See in the documentation:
request (Object): Override the default request module (Axios as of v0.40.0).
wsdl_options (Object): Set options for the request module on WSDL requests. If using the default request module, see Request Config | Axios Docs.
Based on the link above and instructions like these https://smallstep.com/hello-mtls/doc/client/axios, this is the new way to do it:
First, so the WSDL endpoint is fetched with authentication, get the client like this:
import soap from 'soap';
import fs from 'fs';
import https from 'https';
const client = await soap.createClientAsync(api_url, {
wsdl_options: {
httpsAgent: new https.Agent({
key: fs.readFileSync('personal.key'),
cert: fs.readFileSync('personal.cert'),
}),
}
});
The key difference is that instead of passing cert and key in wsdl_options, you have to pass a new https.Agent with the cert and key.
Next, before making any call, ensure they are also called with certificate authentication:
client.setSecurity(new soap.ClientSSLSecurity('personal.key', 'personal.cert'));