Configuring node.js to use the Fake LE Root X1 CA


#1

I’m writing integration tests for a system that uses LetsEncrypt (which is amazing!). We need to use the staging LE server in order to not hit rate limits.

That means that everything inside our tests has to be configured using the Fake LE Root X1 CA, which I downloaded with:

curl -s https://acme-staging.api.letsencrypt.org/acme/issuer-cert | openssl x509 -inform der -outform pem -out acme-staging.pem

This file works great with curl’s --cacert. It works great with Go:

package main

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
	"log"
	"net/http"

	cleanhttp "github.com/hashicorp/go-cleanhttp"
)

func main() {
	t := cleanhttp.DefaultTransport()
	certs, err := ioutil.ReadFile("acme-staging.pem")
	if err != nil {
		log.Fatal(err)
	}
	t.TLSClientConfig = &tls.Config{RootCAs: x509.NewCertPool()}
	t.TLSClientConfig.RootCAs.AppendCertsFromPEM(certs)
	c := &http.Client{Transport: t}
	resp, err := c.Get("https://galaxy.test-20160721224638.meet-eeyore.com/")
	log.Print(err)
	log.Print(resp)
}

But it doesn’t work with Node.js (tried 4.4.3):

var https = require('https');
var fs = require('fs');

https.get({
  hostname: 'galaxy.test-20160721224638.meet-eeyore.com',
  path: '/',
  ca: fs.readFileSync('acme-staging.pem'),
}, function (res) {
  console.log("got response", res.statusCode);
}).on('error', function (e) {
  console.log("got error", e.message);
});

This gets me got error unable to get issuer certificate.

I realize this is kinda more of a Node support question than a LE question, but perhaps somebody else here has written test suites in Node with the fake root cert…


#2

Ah, solved my own problem.

I didn’t read far enough down on Let’s Encrypt Staging Root and downloaded the intermediate cert instead of the root cert from http://cert.stg-root-x1.letsencrypt.org/

For some reason curl and Go liked that better than Node.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.