I'm trying to make a request with axios to an api endpoint and I'm getting the following error: Error: unable to verify the first certificate
It seems the https module, which axios uses, is unable to verify the SSL certificate used on the server.
When visiting the server with my browser, the certificate is valid and I can see/download it. I can also make requests to the api on my browser through https.
I can work around it by turning off verification. This code works.
const result = await axios.post(
`https://${url}/login`,
body,
{
httpsAgent: new https.Agent({
rejectUnauthorized: false
})
}
)
Problem is, this doesn't verify the SSL certificate and therefore opens up security holes.
How can I configure axios to trust the certificate and correctly verify it?
Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.
Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.
The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.
// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE
const httpsAgent = new https.Agent({ rejectUnauthorized: false });
This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what's worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server's identity, their poor client has no way of knowing if the connection they just made to the company's intranet has bad actors listening on the line.
If the service has a public SSL cert, the https.Agent usually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.com with little fuss.
If the service has a private SSL cert (self signed for testing purposes or one signed by your company's private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:
const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE });
where MY_CA_BUNDLE is an array of CA certs with both the server cert for the endpoint you want to hit and that cert's complete cert chain in .pem format. You must include all certs in the chain up to the trust root.
Where are these options documented?
HTTPS is the HTTP protocol over TLS/SSL. In Node.js this is implemented as a separate module.
Therefore options passed to the https.Agent are a merge of the options passed to tls.connect() and tls.createSecureContext().
Create a custom agent with SSL certificate:
const httpsAgent = new https.Agent({
rejectUnauthorized: false, // (NOTE: this will disable client verification)
cert: fs.readFileSync("./usercert.pem"),
key: fs.readFileSync("./key.pem"),
passphrase: "YYY"
})
axios.get(url, { httpsAgent })
// or
const instance = axios.create({ httpsAgent })
From https://github.com/axios/axios/issues/284
For me, when my application is running in development mode, I have disabled rejectUnauthorized directly in axios.defaults.options. This works very well. be careful and use this only in developer mode.
import https from 'https'
import axios from 'axios'
import config from '~/config'
/**
* Axios default settings
*/
axios.defaults.baseURL = config.apiURL
/**
* Disable only in development mode
*/
if (process.env.NODE_ENV === 'development') {
const httpsAgent = new https.Agent({
rejectUnauthorized: false,
})
axios.defaults.httpsAgent = httpsAgent
// eslint-disable-next-line no-console
console.log(process.env.NODE_ENV, `RejectUnauthorized is disabled.`)
}
These configuration worked for me (In a Mutual Authentication scenario).
const httpsAgent = new https.Agent({
ca: fs.readFileSync("./resource/bundle.crt"),
cert: fs.readFileSync("./resrouce/thirdparty.crt"),
key: fs.readFileSync("./resource/key.pem"),
})
Note: bundle.crt was prepared from provided certificates (root,intermediate,end entry certificate). Unfortunately no clear documentation found in this regards.
This is very dirty, but at the top of your script, just put:
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
This basically tells node to not check SSL certificates, which is very convenient when you get self signed certificates rejected in development.
Please don't use this in production.
This what worked for me , using axios with nodejs + express
exports.test_ssl = async (req,res) => {
let cert_file = fs.readFileSync("./ssl/my_self_signed_certificate.crt")
let ca_file = fs.readFileSync("./ssl/my_self_signed_certificate_ca.crt")
const agent = new https.Agent({
requestCert: true,
rejectUnauthorized: true,
cert: cert_file,
ca: ca_file
});
const options = {
url: `https://51.195.45.154/test`, // <---this is a fake ip do not bother
method: "POST",
httpsAgent : agent,
headers: {
'Accept': 'application/json',
'Content-Type': 'application/txt;charset=UTF-8'
},
data: {}
};
console.log(cert_file.toString())
axios(options)
.then(response => {
payload = response.data ;
return res.status(200).send({"status":1});
}).catch(err => {
console.log(err);
return false
});
}
This worked for me:
import axios from 'axios'
import https from 'https'
const headers = {};
const httpsAgent = new https.Agent({
ca: fs.readFileSync('./certs/cert.pem'),
cert: fs.readFileSync('./certs/cert.pem'),
})
const data = await axios.get(url, { httpsAgent, headers })
const https = require('https');
const axios = require('axios')
const CA = "-----BEGIN CERTIFICATE-----$$$$$-----END CERTIFICATE-----"
const url = "bla"
const httpsAgent = new https.Agent({
ca: CA
});
const response = await axios.get(url, { httpsAgent });
This is what work for me.
Good morning dear.
My problem is the following:
"Enable to verify the first certificate" with an error code 'ENABLE_TO_VERIFY_LEAF_SIGNATURE'.
They sent me a certificate with a .pfx extension and with the following commands I generated the .pem certificate and the key also with a .pem extension.
I attach the commands.
openssl pkcs12 -in certificate.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem
It should be noted that I am using axios to make the request.
I attach my agent configuration in axios.
const httpsAgent = new https.Agent ({
pfx: fs.readFileSync ("path.pfx"),
passphrase: 'password',
requestCert: true,
rejectUnauthorized: true
});
I have a medical device (client) that I have no control over. When an event happens on that device (client) it connects to my server via tls v1.2 to pass data. The error that I have is "no shared cipher".
[Error: 3160:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:openssl\ssl\statem\statem_srvr.c:1419:
]
After long investigation it looks like the client cipher suite is not supported in node js 10.9.0. I tried to overwrite default ciphers (DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA. see code below) and the change is taken in consideration because I tried to connect with openssl s_client and fails as it does not support the ciphers. If I set the ciphers to ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA openssl s_client connects. If I do openssl ciphers -sslv3 in the list I see the DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA. But the client does not connect.
The connection handshake
My Server code:
const tls = require('tls');
const fs = require('fs');
tls.DEFAULT_CIPHERS = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA';
const options = {
key: fs.readFileSync(__dirname + '\\cert\\private-key.pem'),
cert: fs.readFileSync(__dirname + '\\cert\\cert.pem'),
rejectUnauthorized: false
};
const server = tls.createServer(options, (socket) => {
console.log('server connected',
socket.authorized ? 'authorized' : 'unauthorized');
socket.write('welcome!\n');
socket.setEncoding('utf8');
socket.pipe(socket);
});
server.on('tlsClientError', (error, tlsSocket) => {
console.log(error);
});
server.listen(8081, () => {
console.log('server bound', 8011);
});
Openssl s_client
ciphers ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA
ciphers DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA
How can I add or workaround this old ciphers ?
Edit new response:
** New options **
const options = {
key: fs.readFileSync(__dirname + '/cert/sentinel-private-key.pem'),
cert: fs.readFileSync(__dirname + '/cert/sentinel-cert.pem'),
dhparam: fs.readFileSync(__dirname + '/cert/dhparams.pem'),
ca: [fs.readFileSync(__dirname + '/cert/ca-cert.ca')],
rejectUnauthorized: false
The client requires that your server supports perfect forward secrecy using DHE based ciphersuites. In order for that to happen you need to configure your server with appropriate DH parameters.
First you must generate your parameters, e.g.:
openssl dhparam -out dhparams.pem 2048
Next you need to configure your application to use them. Instructions for doing this in Nodes.js are available here:
https://nodejs.org/docs/latest-v10.x/api/tls.html#tls_perfect_forward_secrecy
I tried to configure server with https. On local server, the local private key and certificate works. The code is:
var https = require('https');
const options = {
key: fs.readFileSync('./privatekey.key'),
cert: fs.readFileSync('./certificate.crt')
};
var server = https.createServer(options, app);
But when I purchased a SSL certificate and try to use it on the AWS server, it didn't work at all.
var https = require('https');
const options = {
key: fs.readFileSync('privatekey.pem'),
cert: fs.readFileSync('./ssl/portal.crt'),
ca: [fs.readFileSync('./ssl/portal.ca-bundle')]
};
It always showed webpage is not available. I also tried to upload the server certificate to AWS configuration, still failed. Does anyone know how to fix this?
my nodejs server currently uses a self-signed certificate as follows:
var sslOptions = {
key: fs.readFileSync('./self-ssl/server.key'),
cert: fs.readFileSync('./self-ssl/server.crt'),
ca: fs.readFileSync('./self-ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
};
https = require('https').createServer(sslOptions, app);
I want to change this to use a 3rd party certificate, I have received a RapidSSL certificate for my domain which is copied in ./ssl/mactester_com_ee.crt.
My question is how do I edit the old self-signed code to use the new 3rd party certificate?
Thanks,
Found the answer:
var sslOptions = {
key: fs.readFileSync('./ssl/server_private.key'),
cert: fs.readFileSync('./ssl/3rdparty.crt'),
};
https = require('https').createServer(sslOptions, app);
I want to have a NodeJS application to which I can connect over SSH with a public key and send some data to. To be more explicit it should go as follow:
NodeJS application has some functions written
From a server I ssh the nodejs application and tries to identify me by my public key
After I am authenticated, I can send some strings to it, the app is going to parse the string and execute different functions
The only problem is that I cannot manage to do this with any SSH npm package existing. I want the nodejs app to just accept SSH connection and do the authentication and wait for some strings. Is this possible?
EDIT: I want to go with this approach because I only want to call the node functions to execute something only from some allowed clients (servers) and I don't want to send those requests via HTTP so anyone could access it
You're probably better off using HTTPS with client certificates rather than using an SSH server within node (although you can do that with the ssh module, a binding to libssh2), if you want to use certificates.
Here's how you'd set up the HTTPS server:
var https = require('https'),
fs = require('fs');
var options = {
key: fs.readFileSync('server.key'), // server private key
cert: fs.readFileSync('server.crt'), // server certificate
ca: fs.readFileSync('server_ca.crt'), // server CA, this can be an array of CAs too
requestCert: true
};
https.createServer(options, function(req, res) {
if (req.client.authorized) {
res.writeHead(200);
res.end('Hello world!');
} else {
res.writeHead(401);
res.end();
}
}).listen(443);
Then it's just a matter of generating a client certificate using the server's CA that you use with your HTTPS client.
For connecting to the HTTPS server:
For cURL, the command line would look something like: curl -v -s --cacert server_ca.crt --key client.key --cert client.crt https://localhost or to skip server verification: curl -v -s -k --key client.key --cert client.crt https://localhost
For node.js, you might use client code like:
var https = require('https'),
fs = require('fs');
var options = {
// normal http.request()-specific options
method: 'GET',
path: '/',
// tls.connect()-specific options
key: fs.readFileSync('client.key'), // client private key
cert: fs.readFileSync('client.crt'), // client certificate
ca: fs.readFileSync('server_ca.crt'), // server CA, this can be an array of CAs too
// or comment out the `ca` setting and use the following to skip server verification,
// similar to cURL's `-k` option:
//rejectUnauthorized: false
};
https.request(options, function(res) {
if (res.statusCode === 200)
console.log('Accepted!');
else
console.log('Rejected!');
// drain and discard any response data
res.resume();
}).end();