I have been given an SSL certificate that will be used to sign client requests, as well as the corresponding CA certificates. I can check this with openssl:
$ openssl s_client -CAfile /etc/ssl/foo/ca-combined.pem -servername foo.co.in -connect foo.co.in:443 CONNECTED(00000003) ... snip ... Verify return code: 0 (ok) --- closed
(I have expanded two CA certificates into one file). But when I try to play it using node:
var tls = require('tls'); var fs = require('fs'); var options = { host: 'foo.co.in', servername: 'foo.co.in', port: 443, key: fs.readFileSync('/etc/ssl/private/foo.key'), cert: fs.readFileSync('/etc/ssl/foo/cert.pem'), ca: [fs.readFileSync('/etc/ssl/foo/combined-ca.pem')] }; tls.connect(options, function(err) { done(err); });
I get an error message:
Uncaught Error: unable to get local issuer certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1092:38) at TLSSocket._finishInit (_tls_wrap.js:610:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
I found the answer here, suggesting that I need to put each CA certificate in a separate file:
ca: [fs.readFileSync('/etc/ssl/foo/ca.pem'), fs.readFileSync('/etc/ssl/foo/root-ca.pem')]
but it still gave the same error. (I also tried to reorder). Then I tried putting the intermediate certificate in the client, and simply provided the CA root certificate as ca (which seems to be what the docs suggest), the same error. At the moment, I'm running out of ideas. The fact that openssl is happy suggests that I'm doing something wrong, any suggestions?
$ node --version v6.10.1
(I understand that I can set rejectUnauthorized to false, but I really would not want to)
source share