tedious icon indicating copy to clipboard operation
tedious copied to clipboard

Published 20 hours ago verified publisher icon tediousjs

Where tedious looks for a certificate to use?

Open g0djan opened this issue 5 years ago • 3 comments

Hi, we are using certificates signed by our own certificate center. And we want to connect with encrypt='yes', but got error: unable to get local issuer certificate.

I added our certificate to trusted certificates and it helped for connection from Golang.

wget "https://path/to/certificate/CA.pem" -O /usr/local/share/ca-certificates/root.crt &&
update-ca-certificates But tedious doesn't use the certificate. Where tedious looks for a certificate to use? Is it possible to set a path to a certificate?

Expected behaviour: Successful connection

Actual behaviour: Failed to connect to hostname:1433 - unable to get local issuer certificate

Connection string:

var Connection = require('tedious').Connection;

// Create connection to database
var config = {
  server: '{{hostname}}',
  authentication: {
      type: 'default',
      options: {
          userName: '{{username}}', // update me
          password: '<password>' // update me
      }
  },
  options: {
      encrypt: true,
      database: '{{databasename}}'
  }
}
var connection = new Connection(config);

// Attempt to connect and execute queries if connection goes through
connection.on('connect', function(err) {
  if (err) {
    console.log(err);
  } else {
    console.log('Connected');
  }
});

Software versions NodeJS: v8.10.0 [email protected] SQL Server: 2016sp2

g0djan avatar Sep 21 '20 09:09 g0djan

Hi @g0djan tedious uses tls native library for creating tls connections, and what I believe you're looking for is the option ca passed in as options in the tls.connect([options], cb) method . As described in the docs:

// Necessary only if the server uses a self-signed certificate.
  ca: [ fs.readFileSync('server-cert.pem') ]

(Info on how tedious uses tls module in src/message-io.ts)

As of currently, Tedious doesn't have an API exposed to let users specify the location of their certificates. Perhaps this can be changed in the future?

@arthurschreiber can you confirm?

IanChokS avatar Sep 23 '20 15:09 IanChokS

You should also be able to use NODE_EXTRA_CA_CERTS (https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file) or use npm (https://docs.npmjs.com/misc/config#cafile)

The ca property is the primary method for TLS on NodeJS.

I'm not sure I'd want tedious reading my filesystem by default. There's also the complexity (confusion) of __dirname on CommonJS and import.meta.url with ESM.

clshortfuse avatar Sep 23 '20 15:09 clshortfuse

You can try to set the CA in the connection.cryptoCredentialsDetails, more details in the options here

IanChokS avatar Oct 07 '20 15:10 IanChokS