LetsEncrypt root certificate expiry breaks Azure Function Node application
Question
I have a node application running as an Azure function. Every 60 seconds it makes a number of web api calls, and one of the web apis has its SSL certificate signed by LetsEncrypt (R3).
On September 30th 2021 a root certificate expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Now the function fails to call the API. (See the error below).
Where would the fault be?
- Is the fault in NodeJS itself? Does it have its own set of root certificates built into it?
- Or is the fault with Azure? Should the server that this is running on have the correct set of root certificates set up?
- Or am I supposed to do something?
I tried running similar code on my own machine and had similar problems, even after deleting all the expired certificates from the Windows Certificate store.
Here is the error that is being thrown in the Azure Function app:
Result: Failure Exception: AggregateError: RequestError: certificate has expired
at ClientRequest.<anonymous> (C:/home/site/wwwroot/node_modules/got/dist/source/core/index.js:953:111)
at ClientRequest.origin.emit (C:/home/site/wwwroot/node_modules/@szmarczak/http-timer/dist/source/index.js:39:20) RequestError: certificate has expired
at ClientRequest.<anonymous> (C:/home/site/wwwroot/node_modules/got/dist/source/core/index.js:953:111)
at ClientRequest.origin.emit (C:/home/site/wwwroot/node_modules/@szmarczak/http-timer/dist/source/index.js:39:20) Stack: AggregateError: RequestError: certificate has expired at ClientRequest.<anonymous>
The actual trigger for this is my first call
import { Issuer } from 'openid-client';
// ...
// This line of code throws the exception
const laqorrIssuer = await Issuer.discover(clientMetaData.laqorr_api_base);
1 answers
solution1
3 2021-10-06 00:01:32
If you need to get your Node application working urgently, just add this line of code at the start.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
This will disable certificate validation altogether. Obviously, this is not an acceptable long-term solution.
The thing that ultimately solved the problem was restarting the Windows web servers the Node app was communicating with. I didn't think I would need to do this because my Chrome browser could query the same servers with no problems. There must be some difference between Node and the Chrome Browser. The act of restarting the servers the clients were talking to was enough to get around this difference.
Here's some more information that I came up with while fumbling around.
LetsEncrypt
Lets Encrypt originally used a particular certificate as the Root Certification Authority: DST Root CA X3 . It's validity range was from 2000-10-01 to 2021-10-01. It's no longer valid.
Lets Encrypt now uses ISRG Root X1 as the root certification authority. It has a valid date range of 2015-06-04 to 2035-06-04. If a platform doesn't recognize this root certification authority, it will not trust Lets Encrypt.
Node
Updating certificate stores in your operating system will have no effect on the NodeJS platform.
Node uses a hardcoded list of certification authorities, defined in node_root_certs.h . (See this readme for more details).
The up-to-date certificate ISRG Root X1 has been part of Node since version 8.0.0 . (See this commit ).
Finally, if you want to write a tiny node application to test if a web request will work: here is one.
const got = require('got'); (async () => { try { // Change this to the url you want to test const url = 'https://letsencrpt.org'; console.log(`Reading from ${url}`); const response = await got(url); console.log(response.body); } catch (error) { console.log(`error: ${error}`); if(error.response) { console.log(error.response.body); } } })();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.