I have a node application running as an Azure function. Every 60 seconds it makes a number of web api calls, and one of the web apis has its SSL certificate signed by LetsEncrypt (R3).
On September 30th 2021 a root certificate expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Now the function fails to call the API. (See the error below).
Where would the fault be?
I tried running similar code on my own machine and had similar problems, even after deleting all the expired certificates from the Windows Certificate store.
Here is the error that is being thrown in the Azure Function app:
Result: Failure Exception: AggregateError: RequestError: certificate has expired
at ClientRequest.<anonymous> (C:/home/site/wwwroot/node_modules/got/dist/source/core/index.js:953:111)
at ClientRequest.origin.emit (C:/home/site/wwwroot/node_modules/@szmarczak/http-timer/dist/source/index.js:39:20) RequestError: certificate has expired
at ClientRequest.<anonymous> (C:/home/site/wwwroot/node_modules/got/dist/source/core/index.js:953:111)
at ClientRequest.origin.emit (C:/home/site/wwwroot/node_modules/@szmarczak/http-timer/dist/source/index.js:39:20) Stack: AggregateError: RequestError: certificate has expired at ClientRequest.<anonymous>
The actual trigger for this is my first call
import { Issuer } from 'openid-client';
// ...
// This line of code throws the exception
const laqorrIssuer = await Issuer.discover(clientMetaData.laqorr_api_base);
If you need to get your Node application working urgently, just add this line of code at the start.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
This will disable certificate validation altogether. Obviously, this is not an acceptable long-term solution.
Here's some more information that I came up with while fumbling around.
LetsEncrypt
Lets Encrypt originally used a particular certificate as the Root Certification Authority: DST Root CA X3 . It's validity range was from 2000-10-01 to 2021-10-01. It's no longer valid.
Lets Encrypt now uses ISRG Root X1 as the root certification authority. It has a valid date range of 2015-06-04 to 2035-06-04. If a platform doesn't recognize this root certification authority, it will not trust Lets Encrypt.
Node
Updating certificate stores in your operating system will have no effect on the NodeJS platform.
Node uses a hardcoded list of certification authorities, defined in node_root_certs.h . (See this readme for more details).
The up-to-date certificate ISRG Root X1
has been part of Node since version 8.0.0
. (See this commit ).
const got = require('got'); (async () => { try { // Change this to the url you want to test const url = 'https://letsencrpt.org'; console.log(`Reading from ${url}`); const response = await got(url); console.log(response.body); } catch (error) { console.log(`error: ${error}`); if(error.response) { console.log(error.response.body); } } })();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.