Self Signed CA works, but can't refresh/update wallet

[JulianTosh]

I've created my own CA root/intermediate CA and host SSL certificate.

Wallet creation works perfectly...

verb Wallet created eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 livenet
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:16.337Z "POST /bws/api/v2/wallets/" 200 51 32.037 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" - -
verb Notification NewCopayer { walletId: 'eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5',
verb Notification   copayerId: '3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957',
verb Notification   copayerName: '{"iv":"z+VTvcmjr/47O3cHV64n6A==","v":1,"iter":1,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","ct":"scagcrv41h/A/Q=="}' }
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:16.474Z "POST /bws/api/v2/wallets/eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5/copayers" 200 - 71.662 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" - -
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:16.582Z "PUT /bws/api/v1/preferences/" 200 - 11.829 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:16.658Z "GET /bws/api/v1/txhistory/?limit=5&r=95200" 200 2 6.851 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:16.895Z "GET /bws/api/v2/wallets/?includeExtendedInfo=0&twoStep=1&r=81289" 200 - 26.932 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957
verb Notification NewAddress { address: '1eA84p7tdgn58MjG49ryfW4uXEB2pFG1G' }
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:17.058Z "POST /bws/api/v3/addresses/" 200 322 134.053 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957

but when I try to update/refresh the wallet I get...

WARN REQUEST FAIL: https://localhost:3001/insight-api/addrs/utxo ERROR: Error: unable to verify the first certificate 
WARN Insight error:  Error: unable to verify the first certificate
WARN Insight error:      at Error (native)
WARN Insight error:      at TLSSocket.<anonymous> (_tls_wrap.js:1022:38)
WARN Insight error:      at emitNone (events.js:67:13)
WARN Insight error:      at TLSSocket.emit (events.js:166:7)
WARN Insight error:      at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:586:8)
WARN Insight error:      at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:428:38)
WARN Insight error:   { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
ERR! /v2/wallets/?includeExtendedInfo=0&twoStep=1&r=70361 :500:Insight Error 
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:25.045Z "GET /bws/api/v2/wallets/?includeExtendedInfo=0&twoStep=1&r=70361" 500 25 74.708 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957
WARN REQUEST FAIL: https://localhost:3001/insight-api/addrs/txs?from=0&to=5&noAsm=1&noScriptSig=1&noSpent=1 ERROR: Error: unable to verify the first certificate 
WARN Insight error:  Error: unable to verify the first certificate
WARN Insight error:      at Error (native)
WARN Insight error:      at TLSSocket.<anonymous> (_tls_wrap.js:1022:38)
WARN Insight error:      at emitNone (events.js:67:13)
WARN Insight error:      at TLSSocket.emit (events.js:166:7)
WARN Insight error:      at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:586:8)
WARN Insight error:      at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:428:38)
WARN Insight error:   { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
ERR! /v1/txhistory/?limit=5&r=43939 :500:Insight Error 
::ffff:xxx.xxx.xxx.xxx 2016-10-16T17:38:26.099Z "GET /bws/api/v1/txhistory/?limit=5&r=43939" 500 25 82.971 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" eea6db5b-cdac-4d1d-b054-7a7cab8c4ca5 3153f1aefd8a0f20ddc9a06e0e5ea7aa29c0579bb31471ed04cc44b243f85957

My config:

$ cat bitcore-node.json
{
  "network": "livenet",
  "port": 3001,
  "https": true,
  "httpsOptions": {
    "key": "/etc/pki/tls/private/bws.example.com.key.pem",
    "cert": "/etc/pki/tls/certs/bws.example.com.cert.pem"
  },
  "services": [
    "bitcoind",
    "bitcore-wallet-service",
    "insight-api",
    "web"
  ],
  "servicesConfig": {
    "bitcoind": {
      "spawn": {
        "datadir": "./data",
        "exec": "/home/bitcore/.nvm/versions/node/v4.6.0/lib/node_modules/bitcore/node_modules/bitcore-node/bin/bitcoind"
      }
    }
  }
}

[JulianTosh]

I've purchased a PositiveSSL certificate and still can't get this to work.

WARN REQUEST FAIL: https://localhost:3001/insight-api/addrs/utxo ERROR: Error: unable to verify the first certificate 
WARN Insight error:  Error: unable to verify the first certificate
WARN Insight error:      at Error (native)
WARN Insight error:      at TLSSocket.<anonymous> (_tls_wrap.js:1022:38)
WARN Insight error:      at emitNone (events.js:67:13)
WARN Insight error:      at TLSSocket.emit (events.js:166:7)
WARN Insight error:      at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:586:8)
WARN Insight error:      at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:428:38)
WARN Insight error:   { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
ERR! /v2/wallets/?includeExtendedInfo=0&twoStep=1&r=91482 :500:Insight Error 
::ffff:162.104.232.26 2016-10-18T21:52:55.990Z "GET /bws/api/v2/wallets/?includeExtendedInfo=0&twoStep=1&r=91482" 500 25 26.012 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" 0609e3e5-10d9-4803-a529-aaa85aaf6798 1a56e00d4a0f3cf605cd952756a55a220dd0726b3e7b848913d4a5323f790bd9
WARN REQUEST FAIL: https://localhost:3001/insight-api/addrs/txs?from=0&to=5&noAsm=1&noScriptSig=1&noSpent=1 ERROR: Error: unable to verify the first certificate 
WARN Insight error:  Error: unable to verify the first certificate
WARN Insight error:      at Error (native)
WARN Insight error:      at TLSSocket.<anonymous> (_tls_wrap.js:1022:38)
WARN Insight error:      at emitNone (events.js:67:13)
WARN Insight error:      at TLSSocket.emit (events.js:166:7)
WARN Insight error:      at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:586:8)
WARN Insight error:      at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:428:38)
WARN Insight error:   { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
ERR! /v1/txhistory/?limit=5&r=92919 :500:Insight Error 
::ffff:162.104.232.26 2016-10-18T21:52:57.015Z "GET /bws/api/v1/txhistory/?limit=5&r=92919" 500 25 28.535 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" 0609e3e5-10d9-4803-a529-aaa85aaf6798 1a56e00d4a0f3cf605cd952756a55a220dd0726b3e7b848913d4a5323f790bd9

[dabura667]

Why purchase an ssl cert when letsencrypt will give you one for free. Sponsored by the EFF.

My BWS I run on http localhost and just have my apache forward any requests to the localhost listening port for BWS (my apache is already set up for ssl and whatnot)

[JulianTosh]

LetsEncrypt is on my radar but I'm not ready to deploy it and it was easier to spend the $9 just to see if it would work. I like your reverse proxy idea and will run with that. It will let me continue to use my own CA certs, which is really important to me.

[toomim]

The problem is that SSL doesn't work for localhost. You can never buy an SSL cert for localhost. URLs that start with https://localhost/ won't work.

I've run into this problem in a default install of bitcore-wallet-service.

I think there are three possible solutions:

1. Run insight-api without https
2. Run insight-api on a public URL. Set up an SSL cert for that public URL. Modify node_modules/bitcore-wallet-service/config.js to use that public https URL.
3. Make a self-signed SSL certificate for localhost, and then tell bitcore-wallet-service to trust that self-signed certificate whenever it makes a HTTPS request to insight-api.

Unfortunately, I think this problem is likely to bite future users unless something is done.

[dabura667]

https localhost makes 0 sense... lol.

Your requests are literally never leaving your machine... so why encrypt it to begin with?

[toomim]

I've found an offending line of code here: https://github.com/bitpay/bitcore-wallet-service/blob/master/bitcorenode/index.js#L83

The only way this line of code can work if self.node.https is true, is case 3 above—the user must create their own certificate authority and a self-signed cert, and tell bitcore-wallet-server's http requester to trust it.

If the user doesn't do that, this line won't work.

[dabura667]

or run a reverse proxy to http localhost and do all the SSL setup through Apache / Nginx

[JulianTosh]

Something suggested by SPair was to simply use stunnel instead of the reverse proxy. That's a lot less overhead.

[toomim]

Let me repeat: there's a blocking bug on line 83 of bitcorenode/index.js that prevents BWS from working in almost any install. This bug needs to be fixed.

Every time I install bws now, I have to edit index.js and replace that line with a hard-coded ip address.

[martindale]

@toomim submit a pull request! It'll take less time than editing that file every time :)

[toomim]

@martindale I don't know what the code is supposed to do. I just know that it doesn't work. Looks like it was written by @kleetus. Chris, is there a reason to set the domain to localhost on line 83?

[toomim]

It seems like line 83 should be using the actual URL specified for insight in the bws config.js. Is this using localhost because it doesn't want to assume that the user has modified the node_modules/bitcore-wallet-service/config.js file? If so, then perhaps the way forward is to add an option to set the URL for insight in the top-level bitcore-node.json file, and then use this variable on line 83?

Alternatively, we could keep it as localhost and just generate a self-signed certificate within node for the insight server to use. That way it's more automatic. But I don't understand the architectural vision here. Can someone explain?

[dabura667]

I think this change was added after the switch to bitcore (full node) model.

Iirc, the assumption is that the full node and insight are all on the same machine as BWS.

This looks like a case where an assumption was made where configurability should have been considered. Bitcore's SSL implementation is not the best in the world, so I personally have left it as localhost http and use apache to reverse proxy into it based on the request URL path.

[toomim]

@dabura667 Thanks for your response! For future readers, let me clarify that it's correct to assume the node and insight are on the same machine—we don't need configurability. The problem is that SSL does not work on localhost.