Who do I get https.request() to trust my internally-signed server certificate. Here is a quick example of the code I'm running in v0.10.25:
var options = {
hostname: 'encrypted.mydomain.local',
port: 443,
path: '/',
method: 'GET'
};
var https = require('https')
https.request(options)
I'm running this on a Windows system which has my internal root CA trusted at the system level, but whenever I make a request like this I get the exception
events.js:72
throw er; // Unhandled 'error' event
^
Error: CERT_UNTRUSTED
at SecurePair.<anonymous> (tls.js:1370:32)
at SecurePair.EventEmitter.emit (events.js:92:17)
at SecurePair.maybeInitFinished (tls.js:982:10)
at CleartextStream.read [as _read] (tls.js:469:13)
at CleartextStream.Readable.read (_stream_readable.js:320:10)
at EncryptedStream.write [as _write] (tls.js:366:25)
at doWrite (_stream_writable.js:223:10)
at writeOrBuffer (_stream_writable.js:213:5)
at EncryptedStream.Writable.write (_stream_writable.js:180:11)
at write (_stream_readable.js:583:24)
For a little more detail, this is all happening inside of the node-atlassian-crowd module I'm attempting to use for authentication
You need to add a ca: cafile.pem line to your options. See http://nodejs.org/api/https.html#https_https_request_options_callback for more details.
The relevant portion:
The following options from tls.connect() can also be specified. However, a globalAgent silently ignores these.
pfx: Certificate, Private key and CA certificates to use for SSL. Default null.
key: Private key to use for SSL. Default null.
passphrase: A string of passphrase for the private key or pfx. Default null.
cert: Public x509 certificate to use. Default null.
ca: An authority certificate or array of authority certificates to check the remote host against.
During application startup, read in the CA's certificate file with something like var casigningcert = fs.readFileSync('keys/ca-certsigning-cert.pem') and then consume it later in your options, which should then look something like:
var options = {
hostname: 'encrypted.mydomain.local',
port: 443,
path: '/',
method: 'GET',
ca: casigningcert
};
Related
I'm using the node sendmail package which is giving me this error:
Error on connectMx for: Error: self signed certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)
at TLSSocket.emit (events.js:400:28)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12) {
code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}
So I put this in my code in like 5 places
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
Node says this warning when I run it:
Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
Yet I still get the error message. It's coming from this code:
const {createConnection} = require('net');
createConnection(smtpPort, data[i].exchange); // problem code
sock.on('error', function (err) {
logger.error('Error on connectMx for: ', data[i], err);
tryConnect(++i)
});
Is this a bug in NodeJS, or am I messing something up? Thanks for the help.
I'm building a SSL crawler application where user pass in the domain name and NodeJS use tls library to retrieve the SSL certificate.
First, here is my codes:
server.js
const tls = require('tls');
var rootCas = require('ssl-root-cas/latest').create();
const fs = require('fs');
fs.readdirSync('./keys/intermediate_certs').forEach(file => {
rootCas.addFile('./keys/intermediate_certs/' + file)
});
var secureContext = tls.createSecureContext({
ca: rootCas
});
options = {
host: host, //domain like google.com
port: 443,
secureContext: secureContext,
ca: rootCas,
rejectUnauthorized: true
};
var tlsSocket = tls.connect(options, function () {
let rawCert = tlsSocket.getPeerCertificate()
console.log(rawCert)
})
tlsSocket.on('error', (error) => {
console.log(error)
// [ERR_TLS_CERT_ALTNAME_INVALID] Hostname/IP does not match certificate's altnames: Host: zdns.cn. is not in the cert's altnames: DNS:*.fkw.com, DNS:fkw.com
// unable to verify the first certificate or UNABLE_TO_VERIFY_LEAF_SIGNATURE
});
Problem is the nodejs application throwing error, according to the TLS documentation, the errors were from OpenSSL, however, when browsing the website and view certificate is showing all valid (even the common name matched exactly).
Here are some criteria:
zdns.cn / www.zdns.cn is showing the error: ERR_TLS_CERT_ALTNAME_INVALID; When view cert from browser it show *.zdns.cn
knet.cn / www.knet.cn is showing the error: unable to verify the first certificate; When view cert from browser it show www.knet.cn
Note: I included latest root CA from ssl-root-cas and also downloaded the intermediate certificate manually from CA site.
You are getting that error specifically because of your rejectUnauthorized parameter. The certificate is presenting *.fkw.com as the CN, and it is presenting *.fkw.com and fkw.com as alternate names. None of those match zdns.cn or www.zdns.cn.
If you are just crawling to get the certs, you may want to drop the rejectUnauthorized. Alternatively, the error does seem to display the rest of the certificate information in the error. So you could keep it as is and include in your output information about why the certificate is untrusted/invalid. That seems like valuable information for a crawler pulling certs.
I setup managed redis and managed postgres on digital ocean. Digital ocean gave me a .crt file, I don't know what to do with this, so didn't do anything with it. Can this be the root of the problem below:
Or do I have to allow docker container to reach outside of the container on the rediss protocol?
I dockerized a node app and then put this container onto my droplet. I have my droplet and managed redis and postgres in same region (SFO2). It connects to redis using this url:
url: 'rediss://default:REMOVED_THIS_PASSWORD#my-new-app-sfo2-do-user-5053627-0.db.ondigitalocean.com:25061/0',
I then did ran my docker container with docker run.
It then gives me error:
node_redis: WARNING: You passed "rediss" as protocol instead of the "redis" protocol!
events.js:186
throw er; // Unhandled 'error' event
^
AbortError: Connection forcefully ended and command aborted. It might have been processed.
at RedisClient.flush_and_error (/opt/apps/mynewapp/node_modules/redis/index.js:362:23)
at RedisClient.end (/opt/apps/mynewapp/node_modules/redis/lib/extendedApi.js:52:14)
at RedisClient.onPreConnectionEnd (/opt/apps/mynewapp/node_modules/machinepack-redis/machines/get-connection.js:157:14)
at RedisClient.emit (events.js:209:13)
at RedisClient.connection_gone (/opt/apps/mynewapp/node_modules/redis/index.js:590:14)
at Socket.<anonymous> (/opt/apps/mynewapp/node_modules/redis/index.js:293:14)
at Object.onceWrapper (events.js:298:28)
at Socket.emit (events.js:214:15)
at endReadableNT (_stream_readable.js:1178:12)
at processTicksAndRejections (internal/process/task_queues.js:80:21)
Emitted 'error' event on RedisClient instance at:
at /opt/apps/mynewapp/node_modules/redis/index.js:310:22
at Object.callbackOrEmit [as callback_or_emit] (/opt/apps/mynewapp/node_modules/redis/lib/utils.js:89:9)
at Command.callback (/opt/apps/mynewapp/node_modules/redis/lib/individualCommands.js:199:15)
at RedisClient.flush_and_error (/opt/apps/mynewapp/node_modules/redis/index.js:374:29)
at RedisClient.end (/opt/apps/mynewapp/node_modules/redis/lib/extendedApi.js:52:14)
[... lines matching original stack trace ...]
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
code: 'NR_CLOSED',
command: 'AUTH',
args: [ 'REMOVED_I_DONT_KNOW_IF_THIS_IS_SENSITIVE' ]
The redis protocol is different from rediss because the latter uses TLS connection. DigitalOcean Managed Redis requires the connections to be made over TLS, so you have to use rediss. However, I couldn't find any info about the TLS certificate provided by DigitalOcean to connect to the Managed Redis service.
Based on your error message, I presumed you're using this redis package. If that's the case, you can pass empty TLS object option in the connection string like so:
const Redis = require('redis')
const host = 'db-redis.db.ondigitalocean.com'
const port = '25061'
const username = 'user'
const password = 'secret'
const url = `${username}:${password}#${host}:${port}`
const client = Redis.createClient(url, {tls: {}})
Further reading/source:
SSL connections arrive for Redis on Compose
Connecting to IBM Cloud Databases for Redis from Node.js
I solved this. Below are snippets from config/env/production.js
Sockets
For sockets, to enable rediss you have to pass in all options through adapterOptions like this:
sockets: {
onlyAllowOrigins: ['https://my-website.com'],
// pass in as adapterOptions so it gets through to redis-adapter
// as i need it "rediss" but this url is not supported i get an error.
// so i need to pass in `tls` empty object. and i see he moves things into
// `adapterOptions` here here - https://github.com/balderdashy/sails-hook-sockets/blob/master/lib/configure.js#L128
adapterOptions: {
user: 'username',
pass: 'password',
host: 'host',
port: 9999,
db: 2, // pick a number
tls: {},
},
adapter: '#sailshq/socket.io-redis',
},
Session
For session, pass tls: {} empty object to config:
session: {
pass: 'password',
host: 'host',
port: 9999,
db: 1, // pick a number not used by sockets
tls: {},
cookie: {
secure: true,
maxAge: 24 * 60 * 60 * 1000, // 24 hours
},
},
I have a Hapi server which works fine on HTTP. I need to make this work over HTTPS. I have a certificate which we bought from COMODO.
My Key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGyXFDz/pSzMxO
...
g7N2PgtU9nhM7eYhQmhjB+4=
-----END PRIVATE KEY-----
My Certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgIRAK3oQPHzO66FR3iLafOh2JkwDQYJKoZIhvcNAQELBQAw
...
pvWiUJabAat2O+hexjv55O4RkfQ13aIKo1Z7VeWyNQdEPaSCOFtteC4a3WelWcZ7
-----END CERTIFICATE-----
(have also tried this with a combined root certificate bundle with the same problem)
Edit: Both the certificates and the key are in the PEM format and not the DER format. There are also no problems with line endings.
My Server Code
var tls = {
key: fs.readFileSync('privkey.pem'),
cert: fs.readFileSync('certificate.pem')
};
var server = new Hapi.Server();
server.connection({
address: '0.0.0.0',
port: 443,
tls: tls,
routes: { cors: { origin: ['*'] }, validate: { options: { abortEarly: false } } }
});
I end up with the following error when trying to start the server
node server.js
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:87:19)
at Server (_tls_wrap.js:754:25)
at new Server (https.js:24:14)
at Object.exports.createServer (https.js:44:10)
at new module.exports.internals.Connection.options (W:\project\node_modules\hapi\lib\connection.js:89:74)
at internals.Server.connection (W:\project\node_modules\hapi\lib\server.js:121:24)
at Object.<anonymous> (W:\project\server.js:98:8)
at Module._compile (module.js:398:26)
at Object.Module._extensions..js (module.js:405:10)
What is going on? how do I fix this?
Any help would be appreciated.
Thanks
I was running into a similar issue, my configuration is different as I'm supplying the cert and key as a string (this is dev only). I was getting this same error because I linearized my key from a text editor which stripped out the new line (\n) characters. As soon as I added those \n characters back into my string, it worked just fine. Which got me thinking about your issue....
I tested your fs.readFileSync('server.key') (yes my server.key is in PEM format) code using my certificate and key and I noticed that without specifying an encoding, the file data was coming back as a byte array.
<Buffer 2d 2d 2d 2d ....
However, specifying an encoding fs.readFileSync('server.key', 'utf-8') did give me back the certificate data as a human readable string.
I'd try updating your readFileSync calls to include an encoding like 'utf-8' - it could be why hapi can't understand your certificate data.
Hope this helps!
I have a Node.js app that needs to check the TLS compatibility of external resources. I need to limit the specific ciphers that Node.js will use when making an external TLS request. I'm looking for sample code to achieve this.
More info: Apple is requiring in iOS 9 all outbound connections be encrypted and the allowed cipher list is limited.
The accepted ciphers are:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
My goal is to build a service that will check to make sure external servers meet the Apple requirements.
You could just connect to each resource using that list of ciphers. If the connection is successful, then you know one of those ciphers is being used and thus checks out. An exclusive list of ciphers can be set via the ciphers property. For example:
var ciphers = ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':');
tls.connect({
host: 'example.com',
port: 443,
ciphers: ciphers
}, function() {
// Success!
}).on('error', function(err) {
// Unsuccessful! You may check `err` to make sure it wasn't an unexpected
// error like ECONNREFUSED
});
You can also limit the protocol used by setting the secureProtocol property or the minVersion and maxVersion properties in node v10.16.0 or newer. For example, to use TLSv1.2:
var ciphers = ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':');
tls.connect({
host: 'example.com',
port: 443,
ciphers: ciphers,
secureProtocol: 'TLSv1_2_method',
// or for node v10.16.0+:
// minVersion: 'TLSv1.2',
// maxVersion: 'TLSv1.2',
}, function() {
// Success!
}).on('error', function(err) {
// Unsuccessful! You may check `err` to make sure it wasn't an unexpected
// error like ECONNREFUSED
});