var hardhttps=require('hardhttps');
hardhttps.globalAgent.options.ca=require('ssl-root-cas/latest').inject().addFile('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem');
var pem={
key:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/privkey.pem','utf8')
, cert:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/fullchain.pem','utf8')
, ca:require('fs').readFileSync('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem','utf8')
, pass:'xxxx'
}
var server=(hardhttps.createServer({key:pem.key,cert:pem.cert,ca:[pem.ca],passphrase:pem.pass})).listen(server);
It just errors with [Error: unable to get issuer certificate] code: 'UNABLE_TO_GET_ISSUER_CERT' when ever I try to connect via my additional server
Hi @benzmuircroft, if you’re explicitly using lets-encrypt-x3-cross-signed.pem, maybe you should be using chain.pem instead of fullchain.pem? (fullchain.pem contains a copy of that and maybe that’s a sign that it’s redundant and confusing to your server software.)
You should be able to see exactly what certs are being sent back by trying to connect using
openssl s_client -connect localhost:443
(or wherever the server is listening instead of localhost:443). The received certificate data will be displayed at the top of the output, so you can see what’s missing. (Or you can use ssllabs.com to diagnose it if you don’t mind having outsiders looking at your server.)
Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
at Error (native)
at Object.createSecureContext (_tls_common.js:85:19)
at Server (_tls_wrap.js:736:25)
at new Server (https.js:17:14)
at Object.exports.createServer (https.js:37:10)
at Object.createServer (/var/sentora/hostdata/zadmin/node_modules/hardhttps/hardhttps.js:63:22)
at Object.G.listen (/var/sentora/hostdata/zadmin/private_js/N.dg.js:41:27)
at Object. (/var/sentora/hostdata/zadmin/private_js/N.dg.js:147:19)
at Module._compile (module.js:435:26)
at Object.Module._extensions…js (module.js:442:10)
If I use the command openssl s_client -connect localhost:8000
I get:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = mysite.com
verify return:1
POODLE is a web server configuration issue, not a certificate or Let's Encrypt issue. Basically, SSLv3 is an insecure and depreciated protocol and shouldn't be offered by your server.
Don't worry too much about clients that don't support SNI. They tend to be quite old and I haven't seen one in actual use in many years. Those notifications are about reference browsers/platforms, and you only need to be concerned if you're still using one.
Thanks @DarkSteve! My main goal here is to achieve no error on UNABLE_TO_GET_ISSUER_CERT! I want to identify what this error means and fix it! After that I will kill POODLE! I am providing as much info as I have as asked by @schoen.
My work as a node.js developer is literally dead/on hold unless I get these two servers to talk.
Do you have any knowledge on UNABLE_TO_GET_ISSUER_CERT (vague error)?
No, sorry, I’ve read through everything you’ve posted and I’m not familiar with node.js or much of what you’re doing. Hopefully Schoen can answer you!
I just try to help out where I can. Sometimes telling you what isn’t the problem can stop you spending time on things that won’t help
What TLS client are you using to connect with that yields the UNABLE_TO_GET_ISSUER_CERT? Do you have a different client, such as a web browser, that you could use for comparison?
I’m not sure I follow. What’s the “server to server connection” here?
The code in your original post shows how you launch the HTTPS server.
If some other server connects to that server as well, that’s just another TLS client. “Server to server” is not a TLS concept. I’m interested in the code where you establish a connection from one server to the other.
There's no need to set any of that. Server 2 is just a TLS client requesting Server 1, it does not need the server's key or certificate file. You probably just want: