Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UNABLE_TO_VERIFY_LEAF_SIGNATURE just to some requests to same server #4847

Open
tairosonloa opened this issue Jul 13, 2022 · 5 comments
Open

UNABLE_TO_VERIFY_LEAF_SIGNATURE just to some requests to same server #4847

tairosonloa opened this issue Jul 13, 2022 · 5 comments

Comments

@tairosonloa
Copy link

tairosonloa commented Jul 13, 2022
edited

Describe the issue

Axios is throwing UNABLE_TO_VERIFY_LEAF_SIGNATURE just for some requests to the same server using rejectUnauthorized: false

Example Code

I have a method sendRequest as follows:

import axios, { AxiosRequestConfig } from 'axios'
import https from 'https'

  private async sendRequest(
    method: 'post' | 'get' | 'put' | 'delete' | 'patch',
    url: string,
    payload?: unknown,
    options?: AxiosRequestConfig
  ): Promise<any> {
    console.log(url)
    try {
      const response = await axios[method](url, payload, {
        ...options,
        httpsAgent: new https.Agent({
          rejectUnauthorized: false,
        })
      })
      return response?.data
    } catch (error: any) {
      console.error(error)
    }
  }

I'm using that method to send requests to an Apache Guacamole API that is being served with https (port 443) using a Kaspersky Anti-Virus Personal Root Certificate.

Firstly, implemented a request to get a token (POST /api/token) and got SSL errors, so then added the https.Agent with rejectUnauthorized: false and workarounded that issue.

However, now I implemented another request to invalidate that token (DELETE /api/token/:token) and I'm getting this error even with the rejectUnauthorized: false:

AxiosError: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1532:34)
    at TLSSocket.emit (node:events:527:28)
    at TLSSocket.emit (node:domain:475:12)
    at TLSSocket._finishInit (node:_tls_wrap:946:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:727:12)

// console.error
{
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  // ...
}

Both requests are made to the same server, so I don't understand why the first success and the second don't. There is not a proxy nor anything strange that could redirect the request between my code and the Guacamole server.

Launching my code with NODE_TLS_REJECT_UNAUTHORIZED=0 env variable seems to fix the issue, but disables TLS everywhere, which is not desired.

Expected behavior, if applicable

To the request to happen without TLS errors, due to the rejectUnauthorized: false

Environment

  • Axios Version: 0.27.2
  • Adapter: https is version 1.0.0
  • Browser: does not apply.
  • Browser Version: does not apply:
  • Node.js Version: 16.15.1
  • OS: Ubuntu 20.04.4 LTS
  • Additional Library Version: does not apply

Additional context/Screenshots

Launching my code with NODE_TLS_REJECT_UNAUTHORIZED=0 env variable seems to fix the issue, but disables TLS everywhere, which is not desired.
@DeepakDonde
Copy link

DeepakDonde commented Aug 23, 2022
edited

I am facing the same issue:
At the start of log I can see 404 but when i see the complete log, it also says that UNABLE_TO_VERIFY_LEAF_SIGNATURE in authorization.

I have set rejectUnauthorized: false in axios agent configuration.

Axios Log is as below:

Request failed with status code 404
    at createError (/app/node_modules/axios/lib/core/createError.js:16:15)
    at settle (/app/node_modules/axios/lib/core/settle.js:17:12)
    at IncomingMessage.handleStreamEnd (/app/node_modules/axios/lib/adapters/http.js:269:11)
    at IncomingMessage.emit (events.js:412:35)
    at endReadableNT (internal/streams/readable.js:1317:12)
    at processTicksAndRejections (internal/process/task_queues.js:82:21) {
  config: {
    url: 'https://domain/restapi/oauth2/token',
    method: 'post',
    data: '{"username":"4rty6","Password":"4rty6"}',
    headers: {
      Accept: 'application/json, text/plain, */*',
      'Content-Type': 'application/json',
      'User-Agent': 'axios/0.21.4',
      'Content-Length': 41
    },
    transformRequest: [ [Function: transformRequest] ],
    transformResponse: [ [Function: transformResponse] ],
    timeout: 30000,
    adapter: [Function: httpAdapter],
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    maxBodyLength: -1,
    httpsAgent: Agent {
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      defaultPort: 443,
      protocol: 'https:',
      options: [Object],
      requests: {},
      sockets: [Object],
      freeSockets: {},
      keepAliveMsecs: 1000,
      keepAlive: false,
      maxSockets: Infinity,
      maxFreeSockets: 256,
      scheduling: 'lifo',
      maxTotalSockets: Infinity,
      totalSocketCount: 1,
      maxCachedSessions: 100,
      _sessionCache: [Object],
      [Symbol(kCapture)]: false
    },
    validateStatus: [Function: validateStatus],
    transitional: {
      silentJSONParsing: true,
      forcedJSONParsing: true,
      clarifyTimeoutError: false
    }
  },
  request: <ref *1> ClientRequest {
    _events: [Object: null prototype] {
      abort: [Function (anonymous)],
      aborted: [Function (anonymous)],
      connect: [Function (anonymous)],
      error: [Function (anonymous)],
      socket: [Function (anonymous)],
      timeout: [Function (anonymous)],
      prefinish: [Function: requestOnPrefinish]
    },
    _eventsCount: 7,
    _maxListeners: undefined,
    outputData: [],
    outputSize: 0,
    writable: true,
    destroyed: false,
    _last: true,
    chunkedEncoding: false,
    shouldKeepAlive: false,
    _defaultKeepAlive: true,
    useChunkedEncodingByDefault: true,
    sendDate: false,
    _removedConnection: false,
    _removedContLen: false,
    _removedTE: false,
    _contentLength: null,
    _hasBody: true,
    _trailer: '',
    finished: true,
    _headerSent: true,
    socket: TLSSocket {
      _tlsOptions: [Object],
      _secureEstablished: true,
      _securePending: false,
      _newSessionPending: false,
      _controlReleased: true,
      secureConnecting: false,
      _SNICallback: null,
      servername: 'domain',
      alpnProtocol: false,
      authorized: false,
      authorizationError: **'UNABLE_TO_VERIFY_LEAF_SIGNATURE',**
      encrypted: true,

 ....continue rest logs

@DeepakDonde
Copy link

setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; at application level is also not working

@darwinva97
Copy link

In my case I tried it with "x" and it already works but you don't want it to apply to the entire environment, only to those requests. In modules like request, or node-fetch it works correctly passing the instance of https.Agent.

@PepNieto
Copy link

Im becoming crazy with this error, do you get any update about the error guys?

@dtap001
Copy link

dtap001 commented Jan 18, 2024

no update??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DeepakDonde @tairosonloa @darwinva97 @PepNieto @dtap001