Getting "CERT_UNTRUSTED" error when executing a server side HTTPS request in Node.JS application?

3
votes

My Node.JS/Express application is getting the following error when attempting an HTTPS GET request from my server code, to an API served by another server (different company, server not owned by us):

CERT_UNTRUSTED

NOTE: I am running these tests from my Linux box using the "localhost" domain.

I tried the steps outlined in this article to create a self-signed temporary certificate, just to get around this problem:

http://www.hacksparrow.com/node-js-https-ssl-certificate.html

However, I still get the error. (Side note: since I created the server with SSL keys loaded using the HTTPS module, the server only responds to HTTPS (https://) URL requests now. The server does not respond anymore to non-HTTPS requests anymore since I configured it to load my SSL PEM files when creating the server. Oddly enough it prints two "listening-to server on port " prompts when it used to print only one).

How can I fix this?

NOTE: The host name property in the options object in the code below has been changed to a "dummy" URL because it is confidential. If you try the URL you will get an error.

Code excerpts:

var https = require('https');
https.globalAgent.options.secureProtocol = 'SSLv3_method';

var httpsOptions = {
    hostname: dummyHostName,
    port: 80,
    method: 'GET',
    path: '/search?text=test',
    headers: {
        // Request JSON response.
        'Content-Type': 'application/json',
        'Upgrade-Insecure-Requests': '1',
        'json': 'true'
    }};

   var httpsReq =
        https.request(httpsOptions,
            function (resHttp) {
                //  This block is never reached due to the error.
            }

I tried installing the ssl-root-cas NPM package as per this document:

https://github.com/coolaj86/node-ssl-root-cas

But I could not figure out what PEM files I needed to load under the USAGE section in the instructions, which show dummy file names, so I don't think I'm using it properly.

Here is my package list for the app:

├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│   ├── [email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │   ├─┬ [email protected]
│ │   │ └── [email protected]
│ │   └─┬ [email protected]
│ │     └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   ├─┬ [email protected]
│ │   │ ├─┬ [email protected]
│ │   │ │ ├─┬ [email protected]
│ │   │ │ │ ├─┬ [email protected]
│ │   │ │ │ │ └── [email protected]
│ │   │ │ │ ├── [email protected]
│ │   │ │ │ └── [email protected]
│ │   │ │ └── [email protected]
│ │   │ ├─┬ [email protected]
│ │   │ │ └─┬ [email protected]
│ │   │ │   ├─┬ [email protected]
│ │   │ │   │ └── [email protected]
│ │   │ │   ├── [email protected]
│ │   │ │   └── [email protected]
│ │   │ └── [email protected]
│ │   ├── [email protected]
│ │   └── [email protected]
│ ├── [email protected]
│ └─┬ [email protected]
│   ├── [email protected]
│   └─┬ [email protected]
│     └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
└─┬ [email protected]
  ├── [email protected]
  └─┬ [email protected]
    ├── [email protected]
    ├── [email protected]
    ├─┬ [email protected]
    │ └─┬ [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   └── [email protected]
    ├── [email protected]
    ├─┬ [email protected]
    │ └── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├─┬ [email protected]
    │ └─┬ [email protected]
    │   └── [email protected]
    ├─┬ [email protected]
    │ ├─┬ [email protected]
    │ │ ├── [email protected]
    │ │ ├── [email protected]
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected]
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected]
    │ │ └── [email protected]
    │ ├─┬ [email protected]
    │ │ └── [email protected]
    │ ├─┬ [email protected]
    │ │ ├── [email protected]
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected]
    │ │ ├── [email protected]
    │ │ └── [email protected]
    │ └─┬ [email protected]
    │   └── [email protected]
    ├─┬ [email protected]
    │ ├── [email protected]
    │ ├── [email protected]
    │ ├── [email protected]
    │ └── [email protected]
    ├─┬ [email protected]
    │ ├── [email protected]
    │ ├─┬ [email protected]
    │ │ ├── [email protected]
    │ │ ├── [email protected]
    │ │ └── [email protected]
    │ └─┬ [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├─┬ [email protected]
    │   │ └── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   ├── [email protected]
    │   └── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├─┬ [email protected]
    │ └── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├── [email protected]
    ├── [email protected]
    └── [email protected]
1
node.jssslssl-certificatex509pkix
"I tried the steps outlined in this article to create a self-signed temporary certificate, just to get around this problem..." - You did not provide the server's certificate. I also don't see where your CA is trusted by the UA. Also see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl? It provides a lot of background information on X.509 server certificates, and where the various rules come from. - jww
"... in the code below has been changed to a "dummy" URL because it is confidential" - So I am clear... You hung the box off the Internet for everyone to bang on; but you hid the URL from us when asking for help. Is that correct? - jww
@jww - re: first comment. I used the steps depicted in the hacksparrow article I linked to to generate the PEM files for my self-signed certificate. re: second comment: "You hung the box...". No I didn't. As I stated in my post the box I am communicating with a foreign API server owned by an external company, not by us. - Robert Oschler

1 Answers

1
votes

If you have a server that is using self signed certificate (or the domain of the server is not same as defined in the URL), than it is just encrypting the data but not identifying itself. That is why node.js will error that request, but if you want to ignore that issue (which basically from your question that is what I understand), you can pass the following property in your httpsOptions:

rejectUnauthorized=false

See more info at:

https://nodejs.org/api/https.html#https_https_request_options_callback