Node/Keystone.js - Help with NET::ERR_CERT_AUTHORITY_INVALID error

waffl · 2018-10-09 18:03:43 UTC

I am running into a problem where my node/keystonejs app returns a NET::ERR_CERT_AUTHORITY_INVALID error. I’ve been generating my certificates with certbot standalone:

sudo certbot certonly --standalone -w ~/letsencrypt -d www.domain.com

I followed this article regarding setting up keystonejs and letsencrypt and have tried debugging with the commands as outlined in the template below. I’m really lost in terms of how to go about fixing this problem, any help would be so greatly appreciated:

I ran this command:

echo | openssl s_client -connect www.domain.com:3001 -servername www.domain.com 2>/dev/null | awk '/Certificate chain/,/---/'

It produced this output:

Certificate chain
 0 s:/CN=www.domain.com
   i:/CN=Fake LE Intermediate X1
 1 s:/CN=Fake LE Intermediate X1
   i:/CN=Fake LE Root X1
---

My web server is (include version): Node - Keystone.js 4.0.0-beta.5

The operating system my web server runs on is (include version): 4.4.0-116-generic #140-Ubuntu SMP

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

rg305 · 2018-10-09 18:05:46 UTC

That is the staging server.

waffl · 2018-10-09 18:17:44 UTC

Ok interesting. I’ve set my node environment to production which I’ve confirmed inside node, and when I requested the certificate, I didn’t use the --staging flag.

Sorry, but most threads I’ve seen have recommended simply completely purging letsencrypt, but I’m wondering if there’s a few more debugging steps I can try first?

edit: I’ve completely purged and reinstalled letsencrypt from my system, and am running into the same problem, where it always returns the Fake LE Intermediate

_az · 2018-10-09 18:42:21 UTC

Consider:

github.com

keystonejs/keystone/blob/cc7c591570f497e5d679c7e1f21e0297a0e46e8e/server/initLetsEncrypt.js#L27


	}
	if (!ssl) {
		console.error('Ignoring `letsencrypt` setting because `ssl` is not set.');
	}
	if (ssl === 'only') {
		console.error('To use Let\'s Encrypt you need to have a regular HTTP listener as well. Please set ssl to either `true` or `"force"`.');
	}


	var email = options.email;
	var approveDomains = options.domains;
	var server = options.production ? 'production' : 'staging';
	var agreeTos = options.tos;


	if (!Array.isArray(approveDomains)) {
		approveDomains = [approveDomains];
	}
	if (!(agreeTos && email && approveDomains)) {
		console.error("For auto registation with Let's Encrypt you have to agree to the TOS (https://letsencrypt.org/repository/) (tos: true), provide domains (domains: ['mydomain.com', 'www.mydomain.com']) and a domain owner email (email: 'admin@mydomain.com')");
		return;
	}
	// TODO maybe we should use le-store-mongo

Are you running your server with NODE_ENV=production ?

Are you sure that Keystone/Greenlock has not saved the old certificate on disk? Can you do some printf debugging inside that file in your node_modules/ to see what values are being passed?

_az · 2018-10-09 18:53:42 UTC

Based on my reading of the actual module, you should be able to do:

letsencrypt: {
  production: true,
  // the rest
}

which doesn’t agree with the [2 year old] blog post, but does seem to be the actual API.

waffl · 2018-10-09 19:00:14 UTC

Oh my goodness, YES. Thank you. I do not understand why this isn’t documented anywhere - I will send a note to the keystone team. This is the issue, which is odd as my NODE_ENV is definitely set to production. I also didn’t need to be issuing manual certificates as it was handled automatically.

So having wiped everything then making this adjustment, everything is finally working.

system · 2018-11-08 19:00:15 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.