configure TLS certificate authroity in arangojs

1
votes

I created my own certificate authority to generate TLSv1.2 certificates for my development environment. My CA has a root cert, an intermediate cert signed by the root and a number of "leaf" certificates signed by the intermediate cert. I use one of this leaf certificates for securely connectin to the arangodb server. The arangod process seems to be running fine because I can successfully access the web interface to interact with the database, after installing the root/intermediate certs in the browser.

Troubles start when I try to connect my nodejs API server to the database using the arangojs javascript driver as explained in https://github.com/arangodb/arangojs#new-database where I found:

If you need to support self-signed HTTPS certificates, you may have to add your certificates to the agentOptions, e.g.:

agentOptions: {
  ca: [
    fs.readFileSync('.ssl/sub.class1.server.ca.pem'),
    fs.readFileSync('.ssl/ca.pem')
  ]
}

The agentOption configuration works when using self-signed certificates and:

agentOptions: {
  ca: [
    fs.readFileSync('db.crt.pem')
  ]
}

but fails when using my own CA-signed certificate and:

agentOptions: {
  ca: [
    fs.readFileSync('interm.crt.pem')
  ]
}

I also tried several other ca settings like: 1. passing [root, interm] certs buffers 2. passing [interm, root] certs buffers (exchanged order) 3. passing [root+interm] cert buffer (single concatenated file) 4. passing [interm+root] cert buffer (as above, exchanged order) but none of this seems to work. I always get a very long error message from arangojs in which, quite at the beginning, I see UNABLE_TO_VERIFY_LEAF_SIGNATURE

By looking it up I found references to node-ssl-root-cas npm module but since I'm using my own CA I don't see why I would want to use that (I also tried and didn't work either).

My issue seems to be similar to https://github.com/arangodb/arangojs/issues/39 but the solution seems to be 1:1 in sync with the documentation above and it still didn't work.

In the end I think this is just a subtle configuration problem of the agantOptions in arangojs. Can someone point me to the right config?

1
javascriptsslcertificatearangodbarangojs

1 Answers

0
votes

I finally managed to establish a secured TLS connection by using:

agentOptions: {
  ca: [
    fs.readFileSync('interm_root.crt.pem')
  ]
}

where interm_root.crt.pem is the concatenation of intermediate and root certificates, that is obtained as:

cat interm.crt.pem root.crt.pem > interm_root.crt.pem

For some reason I didn't get the concatenation right in the rush of my first round of tests.

Hope this can help other arangojs users anyway