Error: unable to verify the first certificate in nodejs

Question

I'm trying to download a file from jira server using an URL but I'm getting an error. how to include certificate in the code to verify?

Error:

Error: unable to verify the first certificate in nodejs

at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:929:36)
   
  at TLSSocket.emit (events.js:104:17)

at TLSSocket._finishInit (_tls_wrap.js:460:8)

My Nodejs code:

var https = require("https");
var fs = require('fs');
var options = {
    host: 'jira.example.com',
    path: '/secure/attachment/206906/update.xlsx'
};

https.get(options, function (http_res) {
    
    var data = "";

  
    http_res.on("data", function (chunk) {
       
        data += chunk;
    });

   
    http_res.on("end", function () {
      
        var file = fs.createWriteStream("file.xlsx");
        data.pipe(file);
      
    });
});

Answer 1

Try adding the appropriate root certificate

This is always going to be a much safer option than just blindly accepting unauthorised end points, which should in turn only be used as a last resort.

This can be as simple as adding

require('https').globalAgent.options.ca = require('ssl-root-cas/latest').create();

to your application.

The SSL Root CAs npm package (as used here) is a very useful package regarding this problem.

Answer 2

unable to verify the first certificate

The certificate chain is incomplete.

It means that the webserver you are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to you.

Certificate chain

It most likely looks as follows:

1. Server certificate - stores a certificate signed by intermediate.
2. Intermediate certificate - stores a certificate signed by root.
3. Root certificate - stores a self-signed certificate.

Intermediate certificate should be installed on the server, along with the server certificate.
Root certificates are embedded into the software applications, browsers and operating systems.

The application serving the certificate has to send the complete chain, this means the server certificate itself and all the intermediates. The root certificate is supposed to be known by the client.

Recreate the problem

Go to https://incomplete-chain.badssl.com using your browser.

It doesn't show any error (padlock in the address bar is green).
It's because browsers tend to complete the chain if it's not sent from the server.

Now, connect to https://incomplete-chain.badssl.com using Node:

// index.js
const axios = require('axios');

axios.get('https://incomplete-chain.badssl.com')
  .then(function (response) {
    console.log(response);
  })
  .catch(function (error) {
    console.log(error);
  });

Logs: " Error: unable to verify the first certificate ".

Solution

You need to complete the certificate chain yourself.

To do that:

1: You need to get the missing intermediate certificate in .pem format, then

2a: extend Node's built-in certificate store using NODE_EXTRA_CA_CERTS ,

2b: or pass your own certificate bundle (intermediates and root) using ca option.

1. How do I get intermediate certificate?

Using openssl (comes with Git for Windows ).

Save the remote server's certificate details:

openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com | tee logcertfile

We're looking for the issuer (the intermediate certificate is the issuer / signer of the server certificate):

openssl x509 -in logcertfile -noout -text | grep -i "issuer"

It should give you URI of the signing certificate. Download it:

curl --output intermediate.crt http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

Finally, convert it to .pem :

openssl x509 -inform DER -in intermediate.crt -out intermediate.pem -text

2a. NODE_EXTRA_CERTS

I'm using cross-env to set environment variables in package.json file:

"start": "cross-env NODE_EXTRA_CA_CERTS=\"C:\\Users\\USERNAME\\Desktop\\ssl-connect\\intermediate.pem\" node index.js"

2b. ca option

This option is going to overwrite the Node's built-in root CAs.

That's why we need to create our own root CA. Use ssl-root-cas .

Then, create a custom https agent configured with our certificate bundle (root and intermediate). Pass this agent to axios when making request.

// index.js
const axios = require('axios');
const path = require('path');
const https = require('https');
const rootCas = require('ssl-root-cas').create();

rootCas.addFile(path.resolve(__dirname, 'intermediate.pem'));
const httpsAgent = new https.Agent({ca: rootCas});

axios.get('https://incomplete-chain.badssl.com', { httpsAgent })
  .then(function (response) {
    console.log(response);
  })
  .catch(function (error) {
    console.log(error);
  });

Instead of creating a custom https agent and passing it to axios , you can place the certifcates on the https global agent:

// Applies to ALL requests (whether using https directly or the request module)
https.globalAgent.options.ca = rootCas;

---

Resources:

1. https://levelup.gitconnected.com/how-to-resolve-certificate-errors-in-nodejs-app-involving-ssl-calls-781ce48daded
2. https://www.npmjs.com/package/ssl-root-cas
3. https://github.com/nodejs/node/issues/16336
4. https://www.namecheap.com/support/knowledgebase/article.aspx/9605/69/how-to-check-ca-chain-installation
5. https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file/
6. How to convert .crt to .pem

Answer 3

另一个肮脏的黑客，这将使您的所有请求不安全：

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0

Answer 4

for unable to verify the first certificate in nodejs reject unauthorized is needed

 request({method: "GET", 
        "rejectUnauthorized": false, 
        "url": url,
        "headers" : {"Content-Type": "application/json",
        function(err,data,body) {
    }).pipe(
       fs.createWriteStream('file.html'));

Answer 5

The server you're trying to download from may be badly configured. Even if it works in your browser, it may not be including all the public certificates in the chain needed for a cache-empty client to verify.

I recommend checking the site in SSLlabs tool: https://www.ssllabs.com/ssltest/

Look for this error:

This server's certificate chain is incomplete.

And this:

Chain issues.........Incomplete

Answer 6

This actually solved it for me, from https://www.npmjs.com/package/ssl-root-cas

// INCORRECT (but might still work)
var server = https.createServer({
  key: fs.readFileSync('privkey.pem', 'ascii'),
  cert: fs.readFileSync('cert.pem', 'ascii') // a PEM containing ONLY the SERVER certificate
});

// CORRECT (should always work)
var server = https.createServer({
  key: fs.readFileSync('privkey.pem', 'ascii'),
  cert: fs.readFileSync('fullchain.pem', 'ascii') // a PEM containing the SERVER and ALL INTERMEDIATES
});

Answer 7

Set this in dev env:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Or, first set the environment variable

export NODE_TLS_REJECT_UNAUTHORIZED=0   

and then start the application:

node index.js

NOT suitable for the prod services.

Answer 8

You may be able to do this by modifying the request options as below. If you are using a self-signed certificate or a missing intermediary, setting strictSSL to false will not force request package to validate the certificate.

var options = {
   host: 'jira.example.com',
   path: '/secure/attachment/206906/update.xlsx',
   strictSSL: false
}

Answer 9

Another approach to solve this is to use the following module.

node_extra_ca_certs_mozilla_bundle

This module can work without any code modification by generating a PEM file that includes all root and intermediate certificates trusted by Mozilla. You can use the following environment variable (Works with Nodejs v7.3+),

NODE_EXTRA_CA_CERTS

To generate the PEM file to use with the above environment variable. You can install the module using:

npm install --save node_extra_ca_certs_mozilla_bundle

and then launch your node script with an environment variable.

NODE_EXTRA_CA_CERTS=node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem node your_script.js

Other ways to use the generated PEM file are available at:

https://github.com/arvind-agarwal/node_extra_ca_certs_mozilla_bundle

NOTE: I am the author of the above module.

Answer 10

GoDaddy SSL CCertificate

I've experienced this while trying to connect to our backend API server with GoDaddy certificate and here is the code that I used to solve the problem.

var rootCas = require('ssl-root-cas/latest').create();

rootCas
  .addFile(path.join(__dirname, '../config/ssl/gd_bundle-g2-g1.crt'))
  ;

// will work with all https requests will all libraries (i.e. request.js)
require('https').globalAgent.options.ca = rootCas;

PS:

Use the bundled certificate and don't forget to install the library npm install ssl-root-cas

Answer 11

You can disable certificate checking globally - no matter which package you are using for making requests - like this:

// Disable certificate errors globally
// (ES6 imports (eg typescript))
//
import * as https from 'https'
https.globalAgent.options.rejectUnauthorized = false

Or

// Disable certificate errors globally
// (vanilla nodejs)
//
require('https').globalAgent.options.rejectUnauthorized = false

Of course you shouldn't do this - but it's certainly handy for debugging and/or very basic scripting where you absolutely don't care about certificates being validated correctly.

Answer 12

This Worked For me => adding agent and 'rejectUnauthorized' set to false

 const https = require('https'); //Add This const bindingGridData = async () => { const url = `your URL-Here`; const request = new Request(url, { method: 'GET', headers: new Headers({ Authorization: `Your Token If Any`, 'Content-Type': 'application/json', }), //Add The Below agent: new https.Agent({ rejectUnauthorized: false, }), }); return await fetch(request) .then((response: any) => { return response.json(); }) .then((response: any) => { console.log('response is', response); return response; }) .catch((err: any) => { console.log('This is Error', err); return; }); };

Answer 13

I faced this issue few days back and this is the approach I followed and it works for me.

For me this was happening when i was trying to fetch data using axios or fetch libraries as i am under a corporate firewall, so we had certain particular certificates which node js certificate store was not able to point to.

So for my loclahost i followed this approach. I created a folder in my project and kept the entire chain of certificates in the folder and in my scripts for dev-server( package.json ) i added this alongwith server script so that node js can reference the path.

"dev-server":set NODE_EXTRA_CA_CERTS=certificates/certs-bundle.crt

For my servers(different environments),I created a new environment variable as below and added it.I was using Openshift,but i suppose the concept will be same for others as well.

"name":NODE_EXTRA_CA_CERTS
"value":certificates/certs-bundle.crt

I didn't generate any certificate in my case as the entire chain of certificates was already available for me.

Answer 14

I met very rare case, but hopely it could help to someone: made a proxy service, which proxied requests to another service. And every request's error was "unable to verify the first certificate" even when i added all expected certificates.

The reason was pretty simple - i accidently re-sent also the "host" header. Just make sure you don't send "host" header explicitly.

Answer 15

I was able to get certificates chain via browsers like mozilla or chrome.

1. open website, go to certificate settings of the webpage and download certificates chain as filenames (first-chain.pem, second-chain.pem), should be in pem format like

----BEGIN CERTIFICATE----- MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB ...... -----END CERTIFICATE----- ----BEGIN CERTIFICATE----- MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB ...... -----END CERTIFICATE-----

2. then in your nodejs code, i did it on typescript, I added 2 cas as I have 2 webserver requests

import https from 'https' import cas from 'ssl-root-cas'

......

 interface CaList extends Buffer { addFile(file: string): Buffer[] } const caList = cas.create() as CaList caList.addFile(process.env.PROJECT_PATH + 'certs/first-chain.pem') caList.addFile(process.env.PROJECT_PATH + 'certs/second-chain.pem')

then as I need to make websocket wss connection, I add agent with list of new cas to requests

this.client.connect(KtUrl, undefined, undefined, undefined, { agent: new https.Agent({ ca: caList }) })

also had to add definition file for ssl-root-cas filename ssl-root-cas.d.ts so that typescript does not complain

declare module 'ssl-root-cas' { function create(): string | Buffer | (string | Buffer)[] | undefined }

Answer 16

Are you using axios to send request and get this error ?

If so, consider that the error unable to verify the first certificate can be coming from axios , not related to the server. To solve this, you must configure axios (or other request making app) to allow unauthorized requests. Add an https.Agent to set rejectUnauthorized: false in the config of the request:

import axios from "axios"
import https from "https"

const getCities = async () => {
    try {
        const result = await axios.get("https://your-site/api/v1/get-cities", {
            httpsAgent: new https.Agent({
              rejectUnauthorized: false // set to false
            })
        })

        console.log(result.data)
    } catch(err) {
        console.log(err?.message||err)
    }
}

If you are using a custom axios instance then:

import axios from "axios"
import https from "https"

export const request = axios.create({
  baseURL: process.env.BASE_URL,
  headers: {
    Authorization: cookies.YOUR_ACCESS_TOKEN,
  },
  httpsAgent: new https.Agent({
    rejectUnauthorized: false //set to false
  })
})

Answer 17

We have provide valid Root.pem and Intermediate.pem certificate in agentOptions property of the request object

ex:

   agentOptions: {
        ca: [
            fs.readFileSync("./ROOT.pem"),
            fs.readFileSync("./Intermediate.pem"),
        ],
    },

for more information: https://stackoverflow.com/a/72582263/4652706

Answer 18

Axios Request : Root cause of this issue is, your code cannot handel the certificate management. To solve this issue add below code.

import * as https from "https";

...

const httpsAgent = new https.Agent({
  rejectUnauthorized: false,
});

// And now pass the httpsAgent to axios request. Like below.

const { data } = await axios.get(url, { httpsAgent });

Answer 19

The answer provided by @sch helped me tremendously. There are a few additions I'd like to add. When working in a development environment where your SSL cert is issued by one of your own self-signed certificates (so there isn't an intermediate cert), it's this self-signed certificate that needs to be referenced by the NODE_EXTRA_CA_CERTS environment variable. The self-signed cert needs to saved in PEM format. I did the following once I had exported my cert:

set NODE_EXTRA_CA_CERTS=C:\rootCert.pem

(Worth noting that I'm running node on Windows, and the path to the PEM is not quoted)

Using {{node}} from the command-line, I was able to confirm whether or not I had resolved the issue, by calling:

https.get("https://my.dev-domain.local")

Answer 20

THIS WORKED FOR ME

Do the folliwings

If you don't have these packages https and axios

You can install by npm install --save axios https

import axios from 'axios';
import https from 'https';
const httpsAgent = new https.Agent({
    rejectUnauthorized: false,
})

axios.defaults.httpsAgent = httpsAgent

Boom by doing that you will get ur response.

Answer 21

I was using nodemailer npm module. The below code solved the issue

     tls: {
     // do not fail on invalid certs
     rejectUnauthorized: false
     }