request <url> failed, reason: self signed certificate

[thiennq]

Today, when I'm using node-fetch to request a facebook api end-point, I received "self signed certificate" error.

Error: request to https://graph.facebook.com/v2.3/<POST_ID>?fields=id,from,created_time,updated_time,picture&access_token=<FB_TOKEN> failed, reason: self signed certificate
    at ClientRequest.<anonymous> (/home/<PROJECT_PATH>/node_modules/node-fetch/index.js:116:11)
    at emitOne (events.js:77:13)
    at ClientRequest.emit (events.js:166:7)
    at TLSSocket.socketErrorListener (_http_client.js:254:9)
    at emitOne (events.js:77:13)
    at TLSSocket.emit (events.js:166:7)
    at TLSSocket.<anonymous> (_tls_wrap.js:931:16)
    at emitNone (events.js:67:13)
    at TLSSocket.emit (events.js:163:7)
    at TLSSocket._finishInit (_tls_wrap.js:506:8)'

[bitinn]

This is most likely not a node-fetch issue, as https://graph.facebook.com/ should have valid cert. You should try using basic node.js https.request first to verify your network is working as expected.

But if you are behind some MITM proxy, see #15 for possible solutions.

[bitinn]

Closing as no further comment received (unlikely a node-fetch issue).

[cuixiping]

https.request API has a rejectUnauthorized option with boolean value, set to false if you don't want to verify certificate . Hope node-fetch add this option.

I added some code in ./lib/request.js and it works as expected.

    if(init.rejectUnauthorized !== undefined){
        this.rejectUnauthorized = init.rejectUnauthorized;
    }

[tiffon]

agent is one of the available options: https://github.com/bitinn/node-fetch#options

[johanhenrikssn]

I did it like this:

const https = require("https");
const agent = new https.Agent({
  rejectUnauthorized: false
})
fetch(myUrl, { agent })

[samvloeberghs]

@johanhenrikssn any idea of the security implications of that "fix"? :)

[johanhenrikssn]

@samvloeberghs Using CA issued certificates is of course preferred in production to ensure information comes from a trusted source. I'm using this in development since the API I'm fetching from has a self-signed certificate in the staging environment.

What are your thoughts about the security implications?

[bitinn]

For a safer option, you can also use key, cert, ca of https.Agent options.

The following additional options from tls.connect() are also accepted when using a custom Agent: pfx, key, passphrase, cert, ca, ciphers, rejectUnauthorized, secureProtocol, servername

https://nodejs.org/api/https.html#https_https_request_options_callback

[samvloeberghs]

@johanhenrikssn it didn't work out in my case.. I moved to https request.

[ImTheDeveloper]

@johanhenrikssn worked for me fixing isomorphic-fetch and vue-apollo. Thanks.

import Vue from 'vue'
import { ApolloClient, createNetworkInterface } from 'apollo-client'
import VueApollo from 'vue-apollo'
import fetch from 'isomorphic-fetch'
import https from 'https'
const agent = new https.Agent({
  rejectUnauthorized: false
})

const networkInterface = createNetworkInterface({ 
  uri: API_ENDPOINT,
  opts: {
  // Additional fetch options like `credentials` or `headers`
  credentials: 'same-origin',
  agent
  }
});

[its-poole]

This is also an environment variable you can set in later versions of node.js to suppress the certificate authorization:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

or

NODE_TLS_REJECT_UNAUTHORIZED="0" npm start

https://stackoverflow.com/a/21961005

[ivan-kleshnin]

I did it like this:

const https = require("https");
const agent = new https.Agent({
  rejectUnauthorized: false
})
fetch(myUrl, { agent })

This https module is huge: +250Kib (unzipped) to the bundle :(
Anyone aware of a decently sized solution for Node, Browser and SSR?

[dyst5422]

I did it like this:

const https = require("https");
const agent = new https.Agent({
  rejectUnauthorized: false
})
fetch(myUrl, { agent })

This https module is huge: +250Kib (unzipped) to the bundle :(
Anyone aware of a decently sized solution for Node, Browser and SSR?

You can't even use the https mode in browsers, so why would it matter that its large?

[hsHemant]

I used this es6 syntax and it worked for me. No need to set node global options.

import https from "https";
const agent = new https.Agent({
  rejectUnauthorized: false
});
fetch(myUrl, { agent });

[LiMengyang990726]

Hi I tried

import https from "https";
const agent = new https.Agent({
  rejectUnauthorized: false
});
fetch(myUrl, { agent });

in the same file where I make the request

NODE_TLS_REJECT_UNAUTHORIZED="0" npm run dev

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0

in root/.env

All the above methods don't work for me, and I am still getting the same error.

• In Postman, this error can be avoided by turning off SSL Certificate Verification
• In Curl, this error can be avoided by adding -k flag
• What to do next in order to achieve the same effect in Nodejs?

[Richienb]

@LiMengyang990726 What error are you getting?

[LiMengyang990726]

FetchError: request to failed, reason: self signed certificate

[Richienb]

@LiMengyang990726 Is the site you're trying to fetch using a self-signed certificate?

[LiMengyang990726]

@LiMengyang990726 Is the site you're trying to fetch using a self-signed certificate?

I believe so. As I need to try to avoid the same thing in Postman and cULR

[Richienb]

@LiMengyang990726 Try https://stackoverflow.com/a/11042814/8384910