redbird icon indicating copy to clipboard operation
redbird copied to clipboard

Published 20 hours ago verified publisher icon OptimalBits

self ca verify fails. Can it be disabled? -- 'unable to verify first certificate'

Open dkebler opened this issue 6 years ago • 8 comments

I have a self singed certificate with my own ca I created.

Despite using doing this

proxy.register('https://lights.645.kebler.net', 'https://lights.645.kebler.net:8443',
  {
    ssl: {
      key: '/opt/certs/lights.645.kebler.net.key',
      cert: '/opt/certs/lights.645.kebler.net.crt'
      ,ca: '/opt/certs/rootKeblerCA.crt'
    }
  })

redbird is not not able to verigy my cert given my ca cert.

{"name":"redbird","hostname":"gateway","pid":14927,"level":50,"err":{"message":"unable to verify the first certificate","name":"Error","stack":"Error: unable to verify the first
 certificate\n    at TLSSocket.<anonymous> (_tls_wrap.js:1104:38)\n    at emitNone (events.js:105:13)\n    at TLSSocket.emit (events.js:207:7)\n    at TLSSocket._finishInit (_tls_wrap.js:638
:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38)","code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"},"msg":"Proxy Error","time":"2017-11-01T15:57:14.339Z","v":0}

which leads to this related error in the browser UNABLE_TO_VERIFY_LEAF_SIGNATURE

does redbird not support personal CAs certs?
if not is there a request option to ignore this check? like strictSSL: false

dkebler avatar Nov 01 '17 16:11 dkebler

I do not think this is a redbird specific issue, more like nodejs. Can you verify it works using node TLS server directly?

manast avatar Nov 01 '17 16:11 manast

if you mean, can I visit https://lights.645.kebler.net:8443 directly, yes no problems

under it all redbird uses some nodejs modules to do TLS verification right? Many folks suggest adding a module require('ssl-root-cas').inject(); but that would be to inject real CAs into a node app. This is a self signed cert and I should be able to add my "bogus" personal root CA as I did and get it accepted no???

check this post out. https://stackoverflow.com/questions/31673587/error-unable-to-verify-the-first-certificate-in-nodejs

While you consider this I'll try to get a letsencrypt cert and try that. I assume I don't have to use the ca: option for that?

dkebler avatar Nov 01 '17 16:11 dkebler

There is no point really in using self signed certificates since the availability of LE, unless it is for local development or something like that. Just be careful not to be banned, only use the production flag when everything works as expected.

manast avatar Nov 01 '17 16:11 manast

yes it is for a private personal network (mostly development). I would like redbird to work with self-signed certs. Let me try a letsencrypt one. If that works then the issue is redbird with self-signed certs.

dkebler avatar Nov 01 '17 17:11 dkebler

ok ended up getting a paid wildcard cert since letencrypt does not offer that

I still had some issues with my code and getting the same error until I tried this. Maybe I could try again with self-signed cert but no time right now.

const proxy = require('redbird')({
  port: 80,
  ssl: {
    port: 443,
    key: '/xxx/certs/wc.xxx.net.key',
    cert: '/xxx/certs/wc.xxx.net.crt',
    ca: '/xxx/certs/wc.xxx.net.ca-bundle'
  }
})

console.log ('STARTING REVERSE PROXY')
proxy.register('http://lights.kebler.net', 'http://trantor.kebler.net',{ ssl: true})

dkebler avatar Nov 02 '17 20:11 dkebler

Nope....when you proxy to a port other than 443 the errors return :-(.

Entering lights.kebler.net in browser gives

Error ECONNRESET with proxy.register('lights.kebler.net', '192.168.0.1:8443',{ ssl: true}) or proxy.register('lights.kebler.net', 'http://gateway.kebler.net:8443',{ ssl: true}) ----------- OR error UNABLE_TO_VERIFY_LEAF_SIGNATURE (unable to verify first certificate) proxy.register('lights.kebler.net', 'https://gateway.kebler.net:8443',{ ssl: true}) or proxy.register('lights.kebler.net', 'https://192.168.0.1:8443',{ ssl: true})

and yes if I go to it directly without proxy no issues. The wildcert works fine, green lock. https://gateway.kebler.net:8443

also getting a green lock for lights.kebler.net so doesn't seem a cert issue now.

It seems an SSL proxy to a port other than 443 causes the issue

More info here i proxy to 443 like so proxy.register('lights.kebler.net', 'http://trantor.kebler.net',{ ssl: true}) and it's fine but if I do this proxy.register('lights.kebler.net', 'https://trantor.kebler.net',{ ssl: true}) I get the leaf error

So seems proxy to https just doesn't work period (leaf error) and proxy to port other than 443 resets the connection and dies

dkebler avatar Nov 02 '17 22:11 dkebler

I tried the same with redwire module and I get the exact same result. So it's not unique to redbird (i.e. cannot https proxy to https server running on other than port 443). BTW works fine if its being redirected to just an http server at any port so it's just if I am running an https server.

So maybe this is less an issue and more a requested "enhancement" I'm obviously not grokking the underlying https methods and their handshaking/limitations. Maybe this is just not possible (why not?)

dkebler avatar Nov 03 '17 17:11 dkebler

Today I run in this. I'm using version 0.2.3

You could use this configuration:

const proxy = require('redbird')({
  secure: false,
  port: 80,
  ssl: {
    port: 443
  }
})

console.log ('STARTING REVERSE PROXY')
proxy.register('http://lights.kebler.net', 'https://192.168.0.1:8443',{
  ssl: true,
  key: '/xxx/certs/wc.xxx.net.key',
  cert: '/xxx/certs/wc.xxx.net.crt'
})

gerard2perez avatar Aug 05 '18 19:08 gerard2perez