1. 技术文章
  2. NodeJS unable to read default CAs in ubuntu

NodeJS unable to read default CAs in ubuntu

别等时光非礼了梦想. 提交于 2020-01-24 04:05:11

问题


On our testing environment we are connecting to another server with SSL signed by our company. Every time connection is made nodejs throws UNABLE_TO_VERIFY_LEAF_SIGNATURE. I have found workarounds by setting rejectUnauthorized: false, but this is not aplicable in our case.

The certificates are added to /etc/ssl/certs and tested with the environment variable SSL_CERT_DIR to be either /etc/ssl anb /etc/ssl/certs, but no result.

Also, it is not preferable to add somewhere in our files the certificate and add it to every request.


回答1:


This is because node does not use your system's CA configuration; it includes its own built-in list of acceptable CAs.

If you want a node SSL client to accept a custom CA, you have to pass the CA's certificate in the ca option.

// do something like this when your app starts up:
fs.readFile('/path/to/ca.pem', function(err, cert) {
    if (err) ...
    else certBuffer = cert;
});

// then when you make requests...
https.request({
    hostname: 'example.com',
    port: 443,
    path: '/',
    method: 'GET',
    ca: certBuffer
}, ...);



回答2:


And if you do not want to rely on node.js built-in list, and rather use your debian/ubuntu's list :

var CAs = fs.readFileSync('/etc/ssl/certs/ca-certificates.crt').toString().split(/(?=-----BEGIN CERTIFICATE-----)/);

// then when you make requests...
https.request({ ..., ca: CAs}, ...);



回答3:


You can also add a path to your certificates in PEM file format using the NODE_EXTRA_CA_CERTS environment variable starting with node v7.3.0

https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

This has the benefit of not requiring any code changes, just change the environment of your node process. Hope this helps!

Edit:

Also check out --use-openssl-ca https://nodejs.org/api/cli.html#cli_use_openssl_ca_use_bundled_ca

That's what I ended up using to solve my problem. I copied my .crt files to /usr/local/share/ca-certificates then ran sudo update-ca-certificates and then run node with --use-openssl-ca and now node finds my certificates properly.



来源:https://stackoverflow.com/questions/20658120/nodejs-unable-to-read-default-cas-in-ubuntu

标签
node.js
ssl
certificate
ca
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!