Request to API fails, reason: unable to verify the first certificate (and UNABLE_TO_VERIFY_LEAF_SIGNATURE)

自作多情 提交于 2021-01-05 06:42:10

问题


We have an Apollo Server which is calling an external API (which translates the REST API into GraphQL). Up until several days ago this worked fine, using cross-fetch to call the API.

On Friday we started getting the following error (below). I've done some searching and it seems to have to do with certificates (see Error: unable to verify the first certificate in nodejs for example). Following the answer to that question, I tried using https://www.npmjs.com/package/ssl-root-cas and putting

require('https').globalAgent.options.ca = require('ssl-root-cas/latest').create();

at the start of my code, but that didn't seem to work.

More importantly, I'm unclear what I'm doing. I have a general idea of what certificates are, how they work, but in this context I'm unclear why I'm having to provide a certificate to a public API that didn't want one a few days ago. I'd appreciate any help in arriving at a solution, but also, almost more important, is if someone what is going on here, that is, what might be causing the issue and how the solution might solve it.

Thanks!

{
  "errors": [
    {
      "message": "request to https://www.someapi.com failed, reason: unable to verify the first certificate",
      "locations": [],
      "path": [
        "someSearch"
      ],
      "extensions": {
        "code": "INTERNAL_SERVER_ERROR",
        "exception": {
          "message": "request to https://www.someapi.com failed, reason: unable to verify the first certificate",
          "type": "system",
          "errno": "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
          "code": "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
          "stacktrace": [
            "FetchError: request to https://www.someapi.com failed, reason: unable to verify the first certificate",
            "    at ClientRequest.<anonymous> (/Users/abc/Documents/projects/yaa-interface-new/node_modules/node-fetch/lib/index.js:1455:11)",
            "    at ClientRequest.emit (events.js:210:5)",
            "    at TLSSocket.socketErrorListener (_http_client.js:406:9)",
            "    at TLSSocket.emit (events.js:210:5)",
            "    at emitErrorNT (internal/streams/destroy.js:92:8)",
            "    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)",
            "    at processTicksAndRejections (internal/process/task_queues.js:80:21)"
          ]
        }
      }
    }
  ],
  "data": {
    "someSearch": null
  }
}

回答1:


I was able to get this to work --

First I downloaded the chain PEM certificate, inspired by the 4th answer here: Unable to verify leaf signature.

Then I used NODE_EXTRA_CA_CERTS, pointing to the downloaded PEM file.

NODE_EXTRA_CA_CERTS='./something-chain.pem' node index.js

That worked fine.



来源:https://stackoverflow.com/questions/62147046/request-to-api-fails-reason-unable-to-verify-the-first-certificate-and-unable

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!