terriajs-server icon indicating copy to clipboard operation
terriajs-server copied to clipboard
verified publisher icon TerriaJS

Cannot handle incomplete certificate chains

Open kring opened this issue 8 years ago • 1 comments

Some servers (www.cmar.csiro.au and programs.communications.gov.au are two examples as of this writing) return an incomplete TLS certificate chain. That is, they only include the leaf certificate, not the intermediate certificate between the leaf and the trusted CA. Technically this is a misconfiguration of the servers, but no one cares because pretty much all browsers can deal with it these days by automatically downloading the intermediate certificate. Unfortunately, node/request don't handle this automatically like browsers do. So we need to work around it in terriajs-server.

There's some discussion from the node.js perspective and the start of a workaround in nodejs/node#16336.

kring avatar Jan 22 '18 03:01 kring

This often presents itself with an error like:

{ Error: unable to verify the first certificate
    at TLSSocket.<anonymous> (_tls_wrap.js:1116:38)
    at emitNone (events.js:106:13)
    at TLSSocket.emit (events.js:208:7)
    at TLSSocket._finishInit (_tls_wrap.js:643:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

peterhassall avatar Aug 11 '21 02:08 peterhassall