Lepton icon indicating copy to clipboard operation
Lepton copied to clipboard

Published 20 hours ago verified publisher icon hackjutsu

"SELF_SIGNED_CERT_IN_CHAIN" error behind self-signed SSL network

Open vaderj opened this issue 7 years ago • 14 comments

The more we know about your system and use case, the more easily and likely we can help.

Environment info

  • OS: Win 10

  • App Version (Command/Ctrl + ,): Who knows / Doesn't matter: Who knows: Theres no way to tell from the application when its stuck not logging in Doesn't matter: The behavior is the same between 1.5.0 and 1.5.1-alpha

Description of the problem / feature request / question:

No version of Lepton has never logged in to GitHub for me. I have deleted the C:\Users<username>\AppData\Roaming\Lepton\ folder multiple times - it has zero effect

If possible, provide a sample gist or screenshot:

image

If possible, provide the log files

  • Mac: ~/Library/Application Support/Lepton/logs
  • Windows: C:\Users\<username>\AppData\Roaming\Lepton\logs
  • Linux: ~/.cached/Lepton/logs

The debug mode is recommended when producing the logs. You can send your log file to [email protected] if don't want to post it here.

2017-12-12T22.45.02.250Z.log

vaderj avatar Dec 12 '17 22:12 vaderj

The last line of this log shows the reason:

{"code":"SELF_SIGNED_CERT_IN_CHAIN"}

Which means while the application is trying to access github.com, it found a improper cert chain.

You need to check if your network is running normally. Or, in a easy way, curl -nvL https://github.com and check if cert is okay.

SilverBut avatar Dec 13 '17 07:12 SilverBut

Thanks for reporting. I'll follow up in the coming week.

hackjutsu avatar Dec 16 '17 01:12 hackjutsu

It looks like you are running Lepton behind a corporate network that interjects a self-signed SSL certificate. The GitHub auth server refuses to exchange the auth code with the access token when it sees "unknown" certificate is used.

  • https://github.com/npm/npm/issues/9282
  • https://stackoverflow.com/q/9626990/3697757

This is an interesting issue, I'll do some research on this topic. Stay tuned.

hackjutsu avatar Dec 18 '17 16:12 hackjutsu

I have tried troubleshooting the following:

npm install npm -g --ca=null npm config set ca=""

Neither command had any effect on Leptop logging in.

As far as certificates go, I have about 150 self signed certificates, all for specific domains, none of which are for github. I guess I am not familiar with the authentication process - why is Lepton not using the cert issued by Github and instead digging up one of my locally installed certs?

vaderj avatar Dec 26 '17 21:12 vaderj

@vaderj

To be honest, I don't know. I don't have the environment to reproduce the issue so that I can learn more about it. Lepton simply forwards the auth code to GitHub servers and exchange for the access token. It doesn't have specific logic to decide which cert to use. The {"code":"SELF_SIGNED_CERT_IN_CHAIN"} error is reported by the GitHub server side.

https://github.com/hackjutsu/Lepton/blob/master/app/utilities/githubApi/index.js#L23

I would like to learn more about it if someone knows about this topic.

hackjutsu avatar Dec 27 '17 19:12 hackjutsu

Not working yet. Someone managed to bypass this?

marvinbelfort avatar Oct 24 '19 13:10 marvinbelfort

@marvinbelfort The best I could do so far is this shell alias:

alias lepton='NODE_TLS_REJECT_UNAUTHORIZED=0 /Applications/Lepton.app/Contents/MacOS/Lepton'

Then I can just run it in terminal as lepton& or just lepton and keep the terminal tab open, or there are other ways.

Ideally though, Lepton should allow turning of SSL verification or specifying self-signed certs in ~/.leptonrc or accept the Chromium's --ignore-certificate-errors. Or I don't know, trust the certs if they are marked "always trust" in OS X keychain 🤷‍♂️

mgrebenets avatar Jan 23 '20 19:01 mgrebenets

Any solution for windows?

What about the recommendation from @mgrebenets?

I really want to use the tool behind a company proxy.

SilberMa avatar Feb 19 '20 10:02 SilberMa

Windows comes with PowerShell built-in these days If I'm not mistaken. So should be very similar if not identical way to launch Lepton from PowerShell console, only the application path would be different.

mgrebenets avatar Feb 19 '20 11:02 mgrebenets

Had the same issue. Spent ages trying to find the error and solution for a windows machine in a company network. Thanks for pointing this direction. For windows my solution was:

>doskey lepton=c:\path_to_dir\Lepton.exe
> set NODE_TLS_REJECT_UNAUTHORIZED=0

Starting from cmd by simply typing "lepton" made it work like a charm :-)

ditori1976 avatar Mar 31 '20 07:03 ditori1976

The method from @mgrebenets of setting the NODE_TLS_REJECT_UNAUTHORIZED worked for a similar problem I was having doing npm install on an electron project.

Doesn't this compromise security, however? You're basically allowing ANY Man-In-The-Middle with a self-signed, invalid cert to work.

CliffJumper avatar Sep 17 '20 13:09 CliffJumper

Any interest in adding an option in ~/.leptonrc to accept self-signed certificates?

mikecharles avatar Nov 11 '20 19:11 mikecharles

Launching the app with NODE_TLS_REJECT_UNAUTHORIZED=0 raises error: Failed: undefined, any chance of fixing this issue?

xieshuaix avatar Apr 03 '21 06:04 xieshuaix

Had the same issue. Spent ages trying to find the error and solution for a windows machine in a company network. Thanks for pointing this direction. For windows my solution was:

>doskey lepton=c:\path_to_dir\Lepton.exe
> set NODE_TLS_REJECT_UNAUTHORIZED=0

Starting from cmd by simply typing "lepton" made it work like a charm :-)

It works also for me. Many thanks ditori1976

ciprianbalan avatar Jul 27 '22 10:07 ciprianbalan