UNABLE_TO_GET_ISSUER_CERT_LOCALLY

[jakewaggoner]

Version

24.7.0

Platform

Linux c12d480d584b 6.10.10-200.fc40.aarch64 #1 SMP PREEMPT_DYNAMIC Thu Sep 12 18:52:07 UTC 2024 aarch64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

1. Download the nodeJS Docker image tagged 24.7.0
2. Create a container and run the following command:

node -e "fetch('https://www.relialabtest.com/').then(res => {  console.log('Status:', res.status);  return res.text();}).then(data => console.log(data)).catch(err => console.error(err));"

3. Observe the error UNABLE_TO_GET_ISSUER_CERT_LOCALLY
4. Run the following command:

NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt node -e "fetch('https://www.relialabtest.com/').then(res => {  console.log('Status:', res.status);  return res.text();}).then(data => console.log(data)).catch(err => console.error(err));"

5. Observe it now works

How often does it reproduce? Is there a required condition?

This happens every time.

What is the expected behavior? Why is that the expected behavior?

I expect the request to complete successfully instead of give a TLS error. Since this is just a GET call to a website, I expect to see the HTML of the website.

What do you see instead?

TypeError: fetch failed
    at node:internal/deps/undici/undici:15445:13
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
  [cause]: Error: unable to get local issuer certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1631:34)
      at TLSSocket.emit (node:events:508:28)
      at TLSSocket._finishInit (node:_tls_wrap:1077:8)
      at ssl.onhandshakedone (node:_tls_wrap:863:12) {
    code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
  }
}

Additional information

This may only happen with sites that have the a cert signed by the following CA:
Cloudflare TLS Issuing ECC CA 1

This also appears to be happening node Node v22, I believe on version v22.20.0 and later. It seems like node is not getting the system certificates or something since it works just fine if the var NODE_EXTRA_CA_CERTS is set to use the system CA certs found at /etc/ssl/certs/ca-certificates.crt

[jakewaggoner]

For 24.7.0, I'd assume this issue has something to do with either of these changes:
#59550
#59571

[joyeecheung]

$ openssl s_client -showcerts -connect  www.relialabtest.com:443
Connecting to 141.193.213.10
CONNECTED(00000006)
depth=3 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=www.relialabtest.com
verify return:1

The Comodo AAA Services root has been removed in #59571 - if you put theComodo AAA Services root removed in that PR into the extra certs, it will work. So I think this is working as intended.

It seems like node is not getting the system certificates or something since it works just fine if the var NODE_EXTRA_CA_CERTS is set to use the system CA certs found at /etc/ssl/certs/ca-certificates.crt

Node.js does not use the system certificate by default (not yet, at least) and only uses the Mozilla bundle by default. So once that certificate is removed by Mozilla, you'd need to either use NODE_EXTRA_CA_CERTS or NODE_USE_SYSTEM_CA to opt into adding system certificates. Or, if you can affect the certificate chain, request the website to update their certificates: https://www.sectigo.com/resource-library/changes-to-root-ca-hierarchies-and-trust-status

[richardlau]

Re, the Comodo AAA Services root https://www.sectigo.com/resource-library/enhancements-to-root-ca-and-hierarchies
With regards to using systems certificates, it's probably only a matter of time before they too drop trust for that root.

[joyeecheung]

Closing as wontfix, as it's intentional to drop the legacy certificates for security purposes.

[richardlau]

FWIW there was further discussion specifically for Cloudflare TLS Issuing ECC CA 1 in https://bugzilla.mozilla.org/show_bug.cgi?id=1966632 for Firefox. Supposedly someone there reached out to Cloudflare about updating their certificates.

Also Firefox implemented some sort of transition workaround (including the TLS Transit ECC CA R2 intermediate certificate) but that was outside of the root certificate bundle.