hipchatter icon indicating copy to clipboard operation
hipchatter copied to clipboard

Published 20 hours ago verified publisher icon charltoons

Hipchat Beta API v2 errors with self signed certificate

Open hawmps opened this issue 10 years ago • 7 comments

Hiya. First up thanks for writing this package!

Not sure if you've seen but if you have a self signed root CA hipchatter silently fails with v2 api requests. I turned on debug=true and get an error back from openssl saying [self signed cert in chain]. Not sure if you've encountered the same issue on your hipchat beta instance but I'm 99% this is because atlassian don't allow you to add your own CA's to /usr/share/ca-certificates on the HipChat server.

Maybe until Atlassian deploy a fix is there a way to disable strict checking of the certificates? (at least so I can play around with the hipchat API!)

hawmps avatar May 14 '14 11:05 hawmps

Cool, I actually don't have access to the HipChat Beta yet. :/ CC @terinjokes who generously supplied the first pull request dealing with it. Perhaps he can help you out?

charltoons avatar May 14 '14 15:05 charltoons

@hawmps Out of curiosity, did you upload just the private key + cert, or did you also upload the intermediate chain from your issuer? I suspect the former, which is why you're not getting a valid chain back. Does the official HipChat clients not give you similar errors? (Our instance has a valid chain)

@charltoons As for the addressing the feature request, needle supports the node standard rejectUnauthorized option, which can be set to false. If the user sets a custom endpoint, you may be interested in allowing the user to set this. I, personally, would be a bit hesitant about allowing it for the default https://api.hipchat.com/v2/ endpoint.

terinjokes avatar May 14 '14 16:05 terinjokes

@terinjokes Awesome. Thanks for the advice, I'll look into that.

charltoons avatar May 14 '14 16:05 charltoons

@terinjokes

  1. I don't get any errors from clients
  2. I think the problem is not on the hipchat side, its that the ca option for https uses just the mozilla list. Becuase we have our own internal root CA, node js does not trust the certificate on hipchat.
  3. Rather than disable rejectUnauthorised , hipchatter should allow an option for ca to be passed in. I don't actually know what the correct option should be or where the keystore should be located. (EG can node read from window certificate store?)

hawmps avatar May 15 '14 02:05 hawmps

@hawmps Node expects an array of certificates to use the certificate store, it won't use the Windows store by default, and you'll have to figure out how to query that yourself.

terinjokes avatar May 15 '14 02:05 terinjokes

Thanks @terinjokes

@charltoons Do you think that rejectUnauthorized be left alone, and instead allow the ca option to be passed through to needle? The user can then supply their own argument, rather than building that functionality into hipchatter. It's such an edgecase - a windows enterprise shop that uses their own RootCA, hipchat and nodejs :)

hawmps avatar May 15 '14 04:05 hawmps

@hawmps I'm not sure right now. I'm on a mac without access to HipChat hosted right now, so it might take me a while to do some research into this.

charltoons avatar May 16 '14 21:05 charltoons