an error occurred trying to connect: invalid certificate: UnknownIssuer

[potham]

Hi,

Just installed deno and try to run welcome.ts file which is mentioned in docs, i am facing this issue. Details are below.

D:\deno>deno run https://deno.land/welcome.ts
Downloading https://deno.land/welcome.ts
WARN RS - Sending fatal alert BadCertificate
an error occurred trying to connect: invalid certificate: UnknownIssuer
an error occurred trying to connect: invalid certificate: UnknownIssuer

D:\deno>deno version
deno: 0.4.0
v8: 7.6.53
typescript: 3.4.1

Anybody faced this issue.

[bartlomieju]

Just tried and works fine, do you use any proxy server?

[potham]

Just tried and works fine, do you use any proxy server?

yes @bartlomieju. Thanks for reminding. By disabling proxy now i have successfully executed . But now while importing http module i am facing other error.

D:deno>deno run first-server.ts
Compiling file:///D:/deno/hello.ts
Downloading https://deno.land/std/http/server.ts
error TS5009: Cannot find the common subdirectory path for the input files. 

first-server.ts

import { serve } from "https://deno.land/std/http/server.ts";
console.log("Hello World");
console.log(5+5);

[bartlomieju]

Related issue: #1383

[saibing]

I ran into the same problem, but I really need a proxy

$ deno -v
deno: 0.19.0
v8: 7.9.110
typescript: 3.6.3

$ deno https://deno.land/welcome.ts
Download https://deno.land/welcome.ts
WARN RS - rustls::session:815 - Sending fatal alert BadCertificate
https://deno.land/welcome.ts: error trying to connect: invalid certificate: UnknownIssuer

[bartlomieju]

@saibing if you need a proxy you can use HTTP_PROXY or HTTPS_PROXY env variables. https://deno.land/manual.html#proxies

[saibing]

@bartlomieju

I have set these environment variables. I use cntlm proxy on ubuntu 19.04.

[tdillon]

I'm in a corporate environment with transparent proxies and self signed certificates. Some way of adding a trusted cert or ignoring invalid certs would be helpful.

$ deno -v
deno: 0.23.0
v8: 7.9.317.12
typescript: 3.6.3

$ deno https://deno.land/std/examples/welcome.ts
Download https://deno.land/std/examples/welcome.ts
WARN RS - rustls::session:815 - Sending fatal alert BadCertificate
https://deno.land/std/examples/welcome.ts: error trying to connect: invalid certificate: UnknownIssuer

[asyncmax]

I'm trying to use Deno to write a Kubernetes API client. Almost all Kubernetes servers use a self-signed ca setup, so this feature is crucial. Is this coming anytime soon?

[bartlomieju]

I'm trying to use Deno to write a Kubernetes API client. Almost all Kubernetes servers use a self-signed ca setup, so this feature is crucial. Is this coming anytime soon?

I think this should be straight-forward to add --cert flag to load additional certificate to HTTP client. I can take a look at that

[asyncmax]

Thanks for your quick response.

Because certificate requirements vary per API server and a single client should be able to connect to multiple servers at once, I believe we should provide it as a per-session option. Perhaps, we need a concept of configurable "connection pool" behind fetch, similar to Http Agent in Node?

Moreover, Kubernetes API Client must be able to parse ~/.kube/config first to get the ca bundle for connection, so a CLI flag will make it impossible to implement this in a single-shot.

[bartlomieju]

Thanks for your quick response.

Because certificate requirements vary per API server and a single client should be able to connect to multiple servers at once, I believe we should provide it as a per-session option. Perhaps, we need a concept of configurable "connection pool" behind fetch, similar to Http Agent in Node?

Moreover, Kubernetes API Client must be able to parse ~/.kube/config first to get the ca bundle for connection, so a CLI flag will make it impossible to implement this in a single-shot.

@asyncmax it looks like your use case is yet another beast.

Example provided by @tdillon that needs single certificate for transparent proxy is simple, but providing certificates for fetch will be significantly harder. Is there any spec for using custom certificate in fetch?

[asyncmax]

@bartlomieju As far as I know, there is no such spec in fetch. Actually, fetch may not be an appropriate entity to have that option That's why I am thinking we might need to introduce another configurable layer behind fetch. It can be also used for managing other features such as keep-alive.

BTW, is the TLS connection through fetch reused or re-established every time?

[bartlomieju]

@bartlomieju As far as I know, there is no such spec in fetch. Actually, fetch may not be an appropriate entity to have that option That's why I am thinking we might need to introduce another configurable layer behind fetch. It can be also used for managing other features such as keep-alive.

I guess this might be the place for a library in userland.

BTW, is the TLS connection through fetch reused or re-established every time?

Right now our HTTP client is one-off, there's an issue for that #3068 as well as PR #3099. It's waiting for upgrade to Tokio 0.2. Once we upgrade HTTP client will have connection pool and reuse connections.

[asyncmax]

I guess this might be the place for a library in userland.

Yes, I agree. Maybe keep-alive was a bad example.

Right now our HTTP client is one-off, there's an issue for that #3068 as well as PR #3099. It's waiting for upgrade to Tokio 0.2. Once we upgrade HTTP client will have connection pool and reuse connections.

Sounds good. I guess what I want is a new Deno API that allows userland code to configure TLS parameters of the HTTP client.

[bartlomieju]

@asyncmax would you mind opening a new issue describing all of your needs there? After some thinking I came to a conclusion that we could expose JS API for creating Rust HTTP client with very little cost (it'd be a resource) so one could leverage some capabilities of reqwest.

[asyncmax]

@bartlomieju No problem. I will gladly do that soon.

[bartlomieju]

I'm trying to use Deno to write a Kubernetes API client. Almost all Kubernetes servers use a self-signed ca setup, so this feature is crucial. Is this coming anytime soon?

I think this should be straight-forward to add --cert flag to load additional certificate to HTTP client. I can take a look at that

Actually I won't be able to work on that due to more priority work on core. If anyone wants to work on this I can provide some tips.

[tdillon]

Related/Duplicate of #1371?

[geoFlux]

@bartlomieju I would like to try to fix this if you could give me those tips.
Although, for my purposes, I was able to change create_http_client in http_util.rs to .use_native_tls() instead of .use_rustls_tls() and the certificate errors went away for me.

Looks like that will use the native system on windows and osx, but openssl on linux, and I guess it's been decided to not use openssl for security reasons. I could make it conditionally compile in native_tls for windows and mac, but use rustls_tls on linux. Imho that would be really nice if it just worked out of the box on mac and windows.

[bartlomieju]

@bartlomieju I would like to try to fix this if you could give me those tips.
Although, for my purposes, I was able to change create_http_client in http_util.rs to .use_native_tls() instead of .use_rustls_tls() and the certificate errors went away for me.

So --cert flag should take a filepath to certificate file. In cli/file_fetcher.rs there's a call to create_http_client() - you need to pass value of the cert flag to that function and load appropriate certificate.

Looks like that will use the native system on windows and osx, but openssl on linux, and I guess it's been decided to not use openssl for security reasons. I could make it conditionally compile in native_tls for windows and mac, but use rustls_tls on linux. Imho that would be really nice if it just worked out of the box on mac and windows.

CC @ry

[dplewis]

WARN RS - rustls::session:815 - Sending fatal alert BadCertificate

@geoFlux I received this error on a Mac on a corporate network while running this test suite. I can verify that your suggestion works. I wish I could help figure out a better solution.

[tdillon]

The --cert flag has fixed my issue (i.e., corporate environment with transparent proxies and self signed certificates).

> deno --version
deno 1.0.0-rc1
v8 8.2.308
typescript 3.8.3

> deno run --cert corporate.pem https://deno.land/std/examples/welcome.ts
Download https://deno.land/std/examples/welcome.ts
Compile https://deno.land/std/examples/welcome.ts
Welcome to Deno 🦕

[devanandp]

Iam trying to Connect Heroku Postgres but getting the same issue in title. Can anyone help?

ARN RS - rustls::session:718 - Sending fatal alert BadCertificate
error: Uncaught InvalidData: invalid certificate: UnknownIssuer
at unwrapResponse ($deno$/ops/dispatch_json.ts:43:11)
at Object.sendAsync ($deno$/ops/dispatch_json.ts:98:10)
at async Object.startTls ($deno$/tls.ts:70:15)
at async startTlsPostgres (https://deno.land/x/pgc4d/src/connection.ts:305:20)
at async connectPg (https://deno.land/x/pgc4d/src/connection.ts:81:24)
at async file:///Users/devanand/Documents/Projects/Deno/deno-experiments/models/database.ts:66:12

[youryss]

I'm having the same issue on my work computer

deno version

deno 1.1.0
v8 8.4.300
typescript 3.9.2

Download https://deno.land/std/http/server.ts
WARN RS - rustls::session:718 - Sending fatal alert BadCertificate
error: error sending request for url (https://deno.land/std/http/server.ts): error trying to connect: invalid certificate: UnknownIssuer

any ideas?

[ChristianSiegert]

From my home network (no proxy, no VPN), sending a request to a public website, I have the problem too:

WARN RS - rustls::session:718 - Sending fatal alert BadCertificate
Http: error sending request for url (https://www.0815.eu/): error trying to connect: invalid certificate: UnknownIssuer

$ deno --version
deno 1.2.0
v8 8.5.216
typescript 3.9.2

Is there a plan to rectify this? It’s been over a year since the issue was opened.

[lucacasonato]

It looks like the use case for corporate certificates can be resolved via --cert, and the k8s use case should be resolved by #6918. The issue (#1383) @potham ran into on windows is also resolved. If you have any issues outside of these use cases please open a new issue.

[firmanjabar]

anyone know how to fix this problem?
i'm trying to connect to Heroku Postgres.

i don't know how to make corporate.pem? soo i can use --cert corporate.pem. How to make doc.pem or where do i download?

[borsemayur2]

@firmanjabar I'm getting following error:

Sending fatal alert BadCertificate
8:23:57 AM web.1 |  error: 
8:23:57 AM web.1 |  Uncaught (in promise) InvalidData: invalid certificate: UnknownIssuer
8:23:57 AM web.1 |            this.#conn = await Deno.startTls(this.#conn, { hostname });

[al6x]

Same error, can't connect to PostgreSQL on Linode VPS, the PostgreSQL is on the same host.

I fixed it by using 127.0.0.1 instead of localhost in PostgreSQL connection URL. Maybe caused by how localhost resolved by linode or something like that...

InvalidData: invalid certificate: UnknownIssuer
    at deno:core/core.js:86:46
    at unwrapOpResult (deno:core/core.js:106:13)
    at async write (deno:runtime/js/12_io.js:107:12)
    at async writeAll (https://deno.land/std@0.93.0/io/util.ts:79:17)
    at async BufWriter.flush (https://deno.land/std@0.93.0/io/bufio.ts:470:7)
    at async Connection.sendStartupMessage (https://deno.land/x/postgres@v0.11.2/connection/connection.ts:239:5)
    at async Connection.startup (https://deno.land/x/postgres@v0.11.2/connection/connection.ts:296:32)
    at async Pool.#createConnection (https://deno.land/x/postgres@v0.11.2/pool.ts:119:5)
    at async DeferredStack.pop (https://deno.land/x/postgres@v0.11.2/connection/deferred.ts:31:14)
    at async Pool.connect (https://deno.land/x/postgres@v0.11.2/pool.ts:112:24)

[TheAifam5]

Same on my side, will take a look into it.

[rinsuki]

for corporate/mitm certs, you can also consider DENO_TLS_CA_STORE=mozilla,system (or just ...=system) option.

[k-paxian]

Thank you @rinsuki that hint saved me hours of time ❤️