4
votes

As of September 2021, Lets Encrypt's old root certificate expired (see: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). This has caused a node application using axios to fail when connecting to an API with LetsEncrypt cert. It states that the certificate has expired. Since my Linux system is running OpenSSL 1.1.1 (which Lets Encrypt states is compatible with their new chain), my assumption is that Node must be using its bundled out-of-date OpenSSL, which doesn't support the new certificate. Unfortunately, the node application can only be run on node 8.x (which is being accomplished via npm n).

So the question is: can I tell axios to override/extend the builtin root certs, to get it to work properly with LetsEncrypt's new chain, even while running on an out-of-date version of Node?

Based on How to configure axios to use SSL certificate?, I attempted to download the ISRG Root X1 pem from https://letsencrypt.org/certificates/, and load it up like:

const httpsAgent = new https.Agent({ ca: fs.readFileSync('./isrgrootx1.pem'), 
                                 cert: fs.readFileSync('./isrgrootx1.pem') });
//...
const response = await axios.post(fullEndpoint, {httpsAgent});

However, it seems to have no effect - all of Axios's connections still fail, saying the cert is expired. I feel like that must be fairly close to the solution, but haven't had any luck. Any pointers would be greatly appreciated.

2

2 Answers

5
votes

Add this CA to your Agent Https Request.
Here is the cert => https://letsencrypt.org/certs/isrgrootx1.pem.txt

const axios = require('axios')
import {Agent} from 'https';

const ISRGCAs = [`-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----`];

const agent = new Agent({ca: ISRGCAs});

axios({
  url:'https://URL',
  httpsAgent:agent
}).then(res=>{
  console.log(res)
})
0
votes

Even if you can disable/bypass the axios expired certs, it would mean that you disabled the HTTPS connection and the security of any connection you make through it.

I would take care of this by fixing your OS.

There are couple of options:

  1. Upgrade your Linux to the most recent version
  2. IF you're sure the expired DST Root CA certificate is the issue, just remove/blacklist it. (In RHEL you can blacklist it)

From this detailed article: https://stackoverflow.com/a/69411107/1549092

# Make sure the ca-certificates.conf location is correct 
sudo sed '/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf > /tmp/cacerts.conf && mv /tmp/cacerts.conf /etc/ca-certificates.conf
sudo update-ca-certificates

If that doesn't resolve your issue, I would read the whole article and follow the steps to identify the root cause and the exact Root CA certificate causing the issue.

NOTE: I would immediately upgrade to the most recent Linux version to resolve this issue, as it is a security concern.

UPDATE: To fix this issue (as per your comments), you need to download and add the 2 new Root CA certificates: https://letsencrypt.org/certificates/

UPDATE: Node.js 7.3.0 (and the LTS versions 6.10.0 and 4.8.0) added NODE_EXTRA_CA_CERTS environment variable for you to pass the CA certificate file.

$ export NODE_EXTRA_CA_CERTS=[custom Root CA certificate file path]

To fix this issue, you need to add the 2 new Root CAs to your node.js:

Intermediate Certificate (PEM format):