New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Certificate issue #14

Closed
badboytherock opened this Issue May 31, 2014 · 10 comments

Comments

Projects
None yet
5 participants
@badboytherock

badboytherock commented May 31, 2014

Hi,

I am trying to authenticate user against AD. see below test code.

var ActiveDirectory = require('activedirectory');
var ad = new ActiveDirectory('ldaps://remoteserver:636', 'DC=myorg,DC=com');
var username="test_username";
var password="test_password";
ad.authenticate(username, password, function(err, auth) {
if (err) {
console.log('ERROR: '+JSON.stringify(err));
return;
}

if (auth) {
console.log('Authenticated!');
}
else {
console.log('Authentication failed!');
}
});

I ran into below issue executing test. Sounds like a certificate issue.
Can you please suggest how can i fix this?

D:\NODE_JS_CODE\ldapauth>node test.js

events.js:72
throw er; // Unhandled 'error' event
^
Error: CERT_UNTRUSTED
at SecurePair. (tls.js:1370:32)
at SecurePair.EventEmitter.emit (events.js:92:17)
at SecurePair.maybeInitFinished (tls.js:982:10)
at CleartextStream.read as _read
at CleartextStream.Readable.read (_stream_readable.js:320:10)
at EncryptedStream.write as _write
at doWrite (_stream_writable.js:226:10)
at writeOrBuffer (_stream_writable.js:216:5)
at EncryptedStream.Writable.write (_stream_writable.js:183:11)
at write (_stream_readable.js:583:24)

D:\NODE_JS_CODE\ldapauth>

@gheeres

This comment has been minimized.

Owner

gheeres commented May 31, 2014

Based on the paths (D:...), it looks like you're running on Windows. The CERT_UNTRUSTED basically means that the SSL certificate that the domain controller (i.e. Active Directory) is using or returning to you is NOT signed by a certificate authority that your machine trusts. This is a common problem when dealing with SSL, especially self-sign SSL certificates and / or a local certificate authority for your organization.

Basically to fix the problem, you need to import and trust the certificate authority which signed your ActiveDirectory installation, or you need to import and trust the SSL certificate that the ActiveDirectory server is providing to you.

If you have access to one of the domain controllers, you can use the Certificates plugin for MMC to export the public certificate so you can add it to your local machine. Or better, assuming you don't have a self-signed certificate, get the SSL certificate of the certificate authority that signed the SSL certificate that the domain controller is using.

If you don't have access to the domain controller, you can use the openssl utilties to retrieve the certificate.

openssl s_client -showcerts -host remoteserver.domain.name -port 636

You should get something like the following:

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIICNMg30SopiMwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNTIyMTEyNTU4WhcNMTQwODIwMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNJSwk
PPpMgw/J/diF5cAqGbmNe/Bih1rLVsfBwJDS3zunxMI1IAhoudccuQd0h4OWYcGc
z1Y8aNvpPz+3qY0GUvQcVGLh8JydQJI8eBlXL9v8J/uK2GBT/37Bkcga94DqpOLG
9n5Fvsd6F87+jpuCyDXW1hv6aNr4uiyFwa7I3HlTSr6BauM+aS0PXUTJSBi0BG73
gJbpTB/MgFlILp3x5bYSpn+3eSdME4EKEq42uy/oVHFrXsgZA6/lmWMiM/Is530x
FJfu0Bz7OgPRYsAiGiGjhPyPUs4oTOQERq2j9cIM4OXHVtZqehESE6noDvlNhptA
R+6lpPoDgQp2O5BjAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQAC/6CV31piwAaimR5f1OK/QdilTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB3JODw4UTUX3xJyr55rbd5EIeMQjcs
sKRvH/oJmEcIl1hrOaiNnpEbQis+2N5YR2PMMU825iO30L66hIswPOxfFiBeb1ZM
TWPJG5WXx7fctFPDXbJ3Zjq3cANIaX8Vlu4nSayNEhKnNuZog1YVSrg3Mu3E+8Ln
bzt+pZa9iTH821hu/il3TmRzXndT3dEz+n1XkrT3F9NBL3ZyYceDU5uB9fo7x25H
pLP/8pxIqu3+AcoGqNmJpxSfWlaqKXqd3TZ++edHtgTO5t8KV65GgCQ9+Wl0amtG
odT0vGI0eRPRl6s+Nnk6Aguz4bkRPsYTuEVJdEd3F+f9kxHrVWI0c+J4
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3231 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: D915A1902D9384B5E11F80BF76037C61048F24C763802E9C5CE9F56684F713B2
    Session-ID-ctx: 
    Master-Key: DB66D3BC903435A25D3C436D39E4ED2E513731ED7DF3F6BB6AA8C7245ED70433B61546CB0BA3F1465D8B87A978CB5715
    Key-Arg   : None
    Start Time: 1401542147
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

The above example includes the full certificate authority chain. I ran this against the public google WWW/HTTPS server. Ideally, you want to grab and trust the certificate authority. Then every SSL certificate signed by that certificate authority will be inherently trusted.

Copy the area between (and including) and BEGIN / END CERTIFICATE and save to a file with a name ending in *.cer. Then you can import it into your 'Trusted Root Certificate Authorities'. If you need help with that, let me know and I can walk you through that process.

@gheeres

This comment has been minimized.

Owner

gheeres commented May 31, 2014

I created a blog post with additional information to help.

@gheeres gheeres closed this May 31, 2014

@badboytherock

This comment has been minimized.

badboytherock commented Jun 2, 2014

Really appreciate your help man. I could successfully connect to AD now.

D:\NODE_JS_CODE\ldapauth>node test.js
Active directory :[object Object]
Authenticated!
D:\NODE_JS_CODE\ldapauth>

Awesome work by the way...

@gheeres gheeres added the question label Jul 10, 2014

@yosser22

This comment has been minimized.

yosser22 commented Jul 7, 2015

Hi Everybody,

I'm having the same Issue. The problem in my case is that the certificate authority has been already imported and trusted. Testing it with an other application using the same certification and sending a request to the same ldap-server shows that everything is working fine(The test-application is not a nodejs application). Only in the case of the nodejs application using this module, I'm getting the error CERT_UNTRUSTED. Can you please help me fix this error. Thank you very much!

@michal-filip

This comment has been minimized.

michal-filip commented Jul 7, 2015

I know that this is a BAD BAD advice but if you're looking for a quick fix until you resolve the issue properly, you can always choose to ignore untrusted certificates like this:

new ActiveDirectory({
   // ...
   tlsOptions: {
      'rejectUnauthorized': false
   }
});
@yosser22

This comment has been minimized.

yosser22 commented Jul 7, 2015

I don't know if I did the right thing but I created a seperate issue here: #94

thank you for your help

@gheeres

This comment has been minimized.

Owner

gheeres commented Jul 7, 2015

The SSL/TLS negotation is actually done by the underlying ldapjs implementation.

As improvisio recommended, you can disable the untrusted certificate verification by sending in the ldapjs TLS options. Not a good idea since it does make you susceptible to man-in-the-middle attacks.

The solution to your problem is to ensure that the FULL certificate chain of trust is imported into your machine and available to ALL users. You need to make sure that the user that runs the nodejs process has that certificate chain available. Please refer back to my blog post for additional information and tips. Something is likely not setup or imported correctly.

If you're still having problems with your SSL/TLS negotiation, I'd recommend that you open or view the issues on the ldapjs repository.

@yosser22

This comment has been minimized.

yosser22 commented Jul 8, 2015

so I fixed it by speicifying the .pem file in the tls option ca.

@cjh-Ella

This comment has been minimized.

cjh-Ella commented Jul 8, 2018

I have an error stating: ERROR: {"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"}
I read from https://auth0.com/docs/connector/troubleshooting#unable_to_verify_leaf_signature-error-message that i need to install the cert chain on server. But my server is Linux CentOS 7. I did as here advised: https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-in-centos7

But i still got the error. What should I do?

My code is like the following:

var ActiveDirectory = require("activedirectory");
const fs = require("fs");
var config = {
url: "ldaps://xxx.com",
baseDN: "DC=...,DC=com",
tlsOptions: {
ca: [fs.readFileSync("CA.crt")],
rejectUnauthorized: true // Force Certificate Verification
}
};
var ad = new ActiveDirectory(config);
var username = xxx;
var password = xxx;
ad.authenticate(username, password, function(err, auth) {
if (err) {
console.log("ERROR: " + JSON.stringify(err));
return;
}
if (auth) {
console.log("Authenticated!");
} else {
console.log("Authentication failed!");
}
});

@cjh-Ella

This comment has been minimized.

cjh-Ella commented Sep 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment