Node unable to verify the first certificate when accessing CouchDB through HTTPS with a Let's Encrypt certificate

1
votes

I actually found the answer to this question already, and just want to document my finding.

The problem has to do with using Node.js to access CouchDB through HTTPS. The CouchDB server has been configured with a SSL certificate generated by Let's Encrypt. The cert_file specified in local.ini contains both the server certificate and the issue's intermediate certificate. When I verified an URL through the browser, the connection was shown as valid. However, whenever I tried to fetch the same URL from Node, an UNABLE_TO_VERIFY_LEAF_SIGNATURE / unable to verify the first certificate error would be thrown.

I tried adding the root certificate to Node using the NODE_EXTRA_CA_CERTS environment variable. That failed. Then, I tried adding the intermediate certificate to NODE_EXTRA_CA_CERTS, and it worked. I could stop there, but somehow I knew that something was wrong.

1
node.jshttpsssl-certificatecouchdblets-encrypt

1 Answers

2
votes

After more digging, I finally found that even though the cert_file used by CouchDB includes both the server cert and the intermediate cert, unlike some other servers, CouchDB itself would only send back the server cert. In order to fix this problem the right way, I need to specify the intermediate cert as the cacert_file in the local.ini file as well. Once I did that, the error is gone.