Unable to verify leaf signature

Question

I m using node js request js to reach an api  I m getting this error      Error  UNABLE TO VERIFY LEAF SIGNATURE    All of my credentials are accurate and valid  and the server s fine  I made the same request with postman   request        url   domain   api orders originator   id       method    GET        headers             X-API-VERSION   1           X-API-KEY   key           function err  response  body       console log err       console log response       console log body         This code is just running in an executable script ex  node   run file js  Is that why  Does it need to run on a server

User · Answer

For Create React App  where this error occurs too and this question is the  1 Google result   you are probably using HTTPS true npm start and a proxy  in package json  which goes to some HTTPS API which itself is self-signed  when in development   If that s the case  consider changing proxy like this    proxy         api          target    https   localhost 5001        secure   false         secure decides whether the WebPack proxy checks the certificate chain or not and disabling that ensures the API self-signed certificate is not verified so that you get your data

User · Answer

If you come to this thread because you re using the node postgres   pg module  there is a better solution than setting NODE TLS REJECT UNAUTHORIZED or rejectUnauthorized  which will lead to insecure connections   Instead  configure the  ssl  option to match the parameters for tls connect       ca  fs readFileSync   path to server-ca pem   toString      cert  fs readFileSync   path to client-cert pem   toString      key  fs readFileSync   path to client-key pem   toString      servername   my-server-name     e g  my-project-id my-sql-instance-id for Google SQL     I ve written a module to help with parsing these options from environment variables like PGSSLROOTCERT  PGSSLCERT  and PGSSLKEY   https   github com programmarchy pg-ssl

User · Answer

Note  the following is dangerous  and will allow API content to be intercepted and modified between the client and the server    This also worked   process env  NODE TLS REJECT UNAUTHORIZED      0

User · Answer

I had an issue with my Apache configuration after installing a GoDaddy certificate on a subdomain  I originally thought it might be an issue with Node not sending a Server Name Indicator  SNI   but that wasn t the case  Analyzing the subdomain s SSL certificate with https   www ssllabs com ssltest  returned the error Chain issues    Incomplete   After adding the GoDaddy provided gd bundle-g2-g1 crt file via the SSLCertificateChainFile Apache directive  Node was able to connect over HTTPS and the error went away

User · Answer

The Secure Solution  Rather than turning off security you can add the necessary certificates to the chain  First install ssl-root-cas package from npm   npm install ssl-root-cas   This package contains many intermediary certificates that browsers trust but node doesn t   var sslRootCAs   require  ssl-root-cas latest   sslRootCAs inject     Will add the missing certificates  See here for more info   https   git coolaj86 com coolaj86 ssl-root-cas js  Also  See the next answer below

User · Answer

Just putting this here in case it helps someone  my case was different and a bit of an odd mix  I was getting this on a request that was accessed via superagent - the problem had nothing to do with certificates  which were setup properly  and all to do with the fact that I was then passing the superagent result through the async module s waterfall callback  To fix  Instead of passing the entire result  just pass result body through the waterfall s callback

User · Answer

I had the same issues  I have followed  ThomasReggi and  CoolAJ86 solution and worked well but I m not satisfied with the solution   Because  UNABLE TO VERIFY LEAF SIGNATURE  issue is happened due to certification configuration level   I accept  thirdender solution but its partial solution As per the nginx official website  they clearly mentioned certificate should be combination of The server certificate and chained certificates

User · Answer

CoolAJ86 s solution is correct and it does not compromise your security like disabling all checks using rejectUnauthorized or NODE TLS REJECT UNAUTHORIZED   Still  you may need to inject an additional CA s certificate explicitly   I tried first the root CAs included by the ssl-root-cas module   require  ssl-root-cas latest      inject      I still ended up with the UNABLE TO VERIFY LEAF SIGNATURE error   Then I found out who issued the certificate for the web site I was connecting to by the COMODO SSL Analyzer  downloaded the certificate of that authority and tried to add only that one   require  ssl-root-cas latest      addFile   dirname     comodohigh-assurancesecureserverca crt      I ended up with another error  CERT UNTRUSTED   Finally  I injected the additional root CAs and included  my   apparently intermediary  CA  which worked   require  ssl-root-cas latest      inject      addFile   dirname     comodohigh-assurancesecureserverca crt

User · Answer

Another approach to solving this securely is to use the following module   node extra ca certs mozilla bundle  This module can work without any code modification by generating a PEM file that includes all root and intermediate certificates trusted by Mozilla  You can use the following environment variable  Works with Nodejs v7 3     NODE EXTRA CA CERTS  To generate the PEM file to use with the above environment variable  You can install the module using   npm install --save node extra ca certs mozilla bundle   and then launch your node script with an environment variable   NODE EXTRA CA CERTS node modules node extra ca certs mozilla bundle ca bundle ca intermediate root bundle pem node your script js   Other ways to use the generated PEM file are available at   https   github com arvind-agarwal node extra ca certs mozilla bundle  NOTE  I am the author of the above module

User · Answer

You have to include the Intermediate certificate in your server  This solves the  Error  UNABLE TO VERIFY LEAF SIGNATURE

User · Answer

Following commands worked for me    gt  npm config set strict-ssl false  gt  npm cache clean --force  The problem is that you are attempting to install a module from a repository with a bad or untrusted SSL Secure Sockets Layer  certificate  Once you clean the cache  this problem will be resolved You might need to turn it to true later on

User · Answer

You can also try by setting strictSSL to false  like this          url   https            method   POST      headers             Content-Type    application json       strictSSL  false

User · Answer

It may be very tempting to do rejectUnauthorized  false or process env  NODE TLS REJECT UNAUTHORIZED      0   but don t do it  It exposes you to man in the middle attacks   The other answers are correct in that the issue lies in the fact that your cert is  signed by an intermediary CA   There is an easy solution to this  one which does not require a third party library like ssl-root-cas or injecting any additional CAs into node   Most https clients in node support options that allow you to specify a CA per request  which will resolve UNABLE TO VERIFY LEAF SIGNATURE  Here s a simple example using node s built-int https module   import https from  https    const options       host    lt your host gt      defaultPort  443    path    lt your path gt         assuming the bundle file is co-located with this file   ca  readFileSync   dirname      lt your bundle file gt  ca-bundle      headers         content-type    application json          https get options  res   gt         do whatever you need to do      If  however  you can configure the ssl settings in your hosting server  the best solution would be to add the intermediate certificates to your hosting provider  That way the client requester doesn t need to specify a CA  since it s included in the server itself  I personally use namecheap   heroku  The trick for me was to create one  crt file with cat yourcertificate crt bundle ca-bundle  gt  server crt  I then opened up this file and added a newline after the first certificate  You can read more at  https   www namecheap com support knowledgebase article aspx 10050 33 installing-an-ssl-certificate-on-heroku-ssl

User · Answer

It s not an issue with the application  but with the certificate which is signed by an intermediary CA  If you accept that fact and still want to proceed  add the following to request options    rejectUnauthorized  false   Full request   request        rejectUnauthorized   false       url   domain   api orders originator   id       method    GET        headers             X-API-VERSION   1           X-API-KEY   key           function err  response  body       console log err       console log response       console log body

[javascript] Unable to verify leaf signature

Examples related to javascript

Examples related to node.js

Examples related to ssl

Examples related to request