Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't scrape website with bad SSL - invalid certificate: UnknownIssuer #8939

Closed
Bestulo opened this issue Dec 30, 2020 · 3 comments
Closed

Can't scrape website with bad SSL - invalid certificate: UnknownIssuer #8939

Bestulo opened this issue Dec 30, 2020 · 3 comments

Comments

@Bestulo
Copy link

Bestulo commented Dec 30, 2020

Hi. I'm trying to access a wordpress site with bad SSL to get the RSS feed. It's a Venezuelan government site, which are known to have terrible, either self-signed or expired SSL certificates. I won't have access to any .pem certificates to pass to --cert, as is suggested in #2301

In terms of security, I run a VPN and the only vuln is a MitM substitution of the RSS feed, and I have a VPN, and realistically, I just don't care about the possibility. This is not a sensitive issue as everything will be double-checked in the end.

Nodejs has the following environment variable: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'

This was talkd about in closed issue #2301, but I don't see any conclusion for people who don't have a .pem file or are not using Kubernetes.

Is there a way to tell Deno to stop interrupting the connection and just go through with it?

Sending fatal alert BadCertificate
error: Uncaught (in promise) Http: error sending request for url (https://url.com): error trying to connect: invalid certificate: UnknownIssuer
    at processResponse (deno:core/core.js:223:11)
    at Object.jsonOpAsync (deno:core/core.js:240:12)
    at async fetch (deno:op_crates/fetch/26_fetch.js:1278:29)
    at async Function.get (code.ts:7:32)
    at async getFeed (getfeed.ts:12:19)
@lucacasonato
Copy link
Member

lucacasonato commented Dec 30, 2020
edited
Loading

@Bestulo You can extract the CA certificate from a website public certificate chain: https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux. This can then feed this into --cert.

Feel free to reopen if this doesn't solve your issue.

@Bestulo
Copy link
Author

Bestulo commented Dec 30, 2020

ty ill try

@Bestulo
Copy link
Author

Bestulo commented Dec 31, 2020
edited
Loading

It didn't work. I tried these 2 commands that were there

openssl s_client -showcerts -connect url.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

openssl s_client -showcerts -verify 5 -connect url.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

Then I passed the certs like this:

deno run --cert mycert.pem --allow-net getfeed.ts

but it's still the same UnknownIssuer error popping up. :/

error trying to connect: invalid certificate: UnknownIssuer

Is there really no way to bypass this protection?

edit: I tried the first anwer but i didn't understand how to get a .pem from them

@TheAifam5 TheAifam5 mentioned this issue Jun 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucacasonato @Bestulo