Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: DEPTH_ZERO_SELF_SIGNED_CERT #418

Closed
maiko-rocha opened this issue Jan 22, 2013 · 51 comments
Closed

Error: DEPTH_ZERO_SELF_SIGNED_CERT #418

maiko-rocha opened this issue Jan 22, 2013 · 51 comments

Comments

@maiko-rocha
Copy link

@maiko-rocha maiko-rocha commented Jan 22, 2013

I'm using self-signed test certificates in my apache2 server and when I call request I get the following error:

Error: DEPTH_ZERO_SELF_SIGNED_CERT

I'm using the following code below to test it. Notice that I'm also using needle and it works with the rejectUnauthorized=true option. I could not find an equivalent on request (I've tried strictSSL=false but I guess that's the default). I couldn't find any other samples related do the problem either.

var request = require('request'),
    needle = require('needle');

request('https://127.0.0.1', function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("REQUEST:"+body);
  } else {
    console.error("REQUEST: "+error)
  }
});

needle.get('https://127.0.0.1',{rejectUnauthorized:false},function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("NEEDLE:"+body);
  }
});
@alindsay55661
Copy link

@alindsay55661 alindsay55661 commented Mar 22, 2013

Same problem here. Using node v0.10.1 and latest request version.

@niftylettuce
Copy link

@niftylettuce niftylettuce commented Apr 13, 2013

same issue here using v0.10.2

@jesusprubio
Copy link

@jesusprubio jesusprubio commented Apr 22, 2013

The same problem in v0.11.1-pre. I need to accept invalid certificates because I'm developing a security tool.

@client = tls.connect @PORT, @target, {rejectUnhauthorized : false}, =>
@client.write message
@client.setEncoding 'utf-8'

@weisjohn
Copy link

@weisjohn weisjohn commented Apr 23, 2013

The code you need is:

request({ url : 'https://127.0.0.1', rejectUnhauthorized : false }, function...

Edit: I removed the lame comment that I made, cause, that's just lame of me....

@niftylettuce
Copy link

@niftylettuce niftylettuce commented Apr 26, 2013

rejectUnauthorized: false

@dankohn
Copy link

@dankohn dankohn commented Apr 29, 2013

rejectUnauthorized: false did not work for me. Instead, adding the following removed the error:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" // Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs
@cliffano
Copy link

@cliffano cliffano commented May 7, 2013

I can verify that NODE_TLS_REJECT_UNAUTHORIZED=0 works for me, but rejectUnauthorized: false does not.
Using node v0.10.1

@case
Copy link

@case case commented May 8, 2013

@dankohn & @cliffano +1 for your suggestions here.

@cliffano
Copy link

@cliffano cliffano commented May 9, 2013

@case NODE_TLS_REJECT_UNAUTHORIZED is only an escape hatch to revert to old behaviours (allowing invalid and self-signed certs) according to nodejs/node-v0.x-archive#4023 , so it's just a workaround for me to get self-signed cert working.
So it looks like rejectUnauthorized: false is not doing what it's supposed to be doing.

@mikeal
Copy link
Member

@mikeal mikeal commented May 9, 2013

We know that, in many cases, {rejectUnauthorized:false} works and in some others it appears not to propagate to core. The question need to answer is "is there an edge case where request does not set this option properly or is core not observing the option properly in some edge cases?"

I need a fully reproducible test in order to answer that question.

@case
Copy link

@case case commented May 9, 2013

Unfortunately I don't have a test case, but this might be helpful:

  • the server I'm talking to requires SSLv3 for some reason (python code for reference; I was seeing the same error in Node)
  • this is how I'm forcing SSLv3 (which I couldn't find a way to do in Request): https.globalAgent.options.secureProtocol = 'SSLv3_method';
@jksdua
Copy link

@jksdua jksdua commented Aug 21, 2013

Hey guys,

Thanks to everyone who works on the library. I was trying to use self-signed cert for some testing and get the same error. I've included details below. Let me know if you need anything else. I've tried all combinations of using strictSSL and rejectUnauthorized but it doesn't seem to work.

Node version: 0.10.10
OS: Windows 7 x64
OpenSSL: Win32 1.0.1e
Cert generated using:
openssl genrsa –out priv.pem 1024
openssl req -x509 -new -key priv.pem -days 3650 -out cert.crt

Code for creating server

var https = require('https');
var express = require('express');
var app = express();
var credentials = {
    key: fs.readFileSync(__dirname + '/priv.pem', 'utf8'),
    cert: fs.readFileSync(__dirname + '/cert.crt', 'utf8')
};
var server = https.createServer(credentials, app);
server.listen(3000);

Using request like so:

var request = require('request');
request.defaults({
    strictSSL: false, // allow us to use our self-signed cert for testing
    rejectUnauthorized: false
});
request('https://localhost:3000', function(err) {
    console.error(err); // outputs the zero_depth error
});
@ofirsh
Copy link

@ofirsh ofirsh commented Sep 19, 2013

@dankohn worked for me

@jokesterfr
Copy link

@jokesterfr jokesterfr commented Sep 26, 2013

With request@2.27.0 and nodejs v0.10.15 rejectUnauthorized: false still not work, I still have to use this hack:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"

Which is ugly, because I would like to check validity and accept self signed certificates.

@dscape
Copy link

@dscape dscape commented Nov 19, 2013

Found the problem while writing a test but was unable to replicate.

@JeffML
Copy link

@JeffML JeffML commented Dec 19, 2013

Had an interesting occurrence of this problem. Set strictSSL: false, which worked on one box but not on another (rejectUnauthorized=false failed as well). @dankohn's suggestion worked.

@jhfoo
Copy link

@jhfoo jhfoo commented Jan 30, 2014

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Works for restler as well.

@kkarloe
Copy link

@kkarloe kkarloe commented Apr 22, 2014

I was able to get it to work using rejectUnauthorized: false (node v0.10.26)

mcollina added a commit to mqttjs/MQTT.js that referenced this issue May 23, 2014
@syzer
Copy link

@syzer syzer commented Jul 2, 2014

i know is closed and merged
but maybe worth mentioning that:
some 3rd party libs still depend on request and use without rejectUnauthorized: false

johnfriz pushed a commit to Strongbow-review/fh-fhc that referenced this issue Jul 9, 2014
@seanstrom
Copy link
Contributor

@seanstrom seanstrom commented Oct 15, 2014

I'll be closing this issue
If this is still a problem for anyone I'll re-open it.
Let me know

@seanstrom seanstrom closed this Oct 15, 2014
@webduvet
Copy link

@webduvet webduvet commented Oct 17, 2014

still a issue here v10.0.32
when trying process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
i get:
_stream_readable.js:748
throw new Error('Cannot switch to old mode now.');

@seanstrom
Copy link
Contributor

@seanstrom seanstrom commented Oct 17, 2014

@webduvet can you give us a code sample?
That will help us debug this problem

@webduvet
Copy link

@webduvet webduvet commented Oct 17, 2014

@seanstrom sure, it was very simple sample from nodejs doc.

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
var tls = require('tls');
var fs = require('fs');
var options = {
  cert: fs.readFileSync('test-cert.pem'),
  strictSSL: false
};
var cleartextStream = tls.connect(8000, options, function() {
  console.log('client connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  process.stdin.pipe(cleartextStream);
  process.stdin.resume();
});
@jandrieu
Copy link

@jandrieu jandrieu commented Apr 30, 2015

@seanstrom I'm still getting this error when trying to use self-signed certs.

Thing is, rejectUnauthorized: false turns off all verification, right? Because it works even if I don't provide a PEM or key or list of accepable certs. I need to provide a cert (or key) and have the request engine support actually check the cert list.

@nylen
Copy link
Member

@nylen nylen commented May 4, 2015

Yes, rejectUnauthorized: false or strictSSL: false are not ideal solutions because they turn off all certificate verification. It's possible to add your own CAs for self-signed or unrecognized certificates though. Have a look at our HTTPS tests for an example of how to do this: https://github.com/request/request/blob/master/tests/test-https.js

@jandrieu
Copy link

@jandrieu jandrieu commented May 6, 2015

Thanks, Nylen. That test helped clear up what we were doing wrong. We were using self-signed certs, rather than first creating a self-signed CA and then using that CA to sign the server cert. That's what I thought we were doing, but we weren't.

@Dzenly
Copy link

@Dzenly Dzenly commented Jan 20, 2016

For those who wish to understand a principle.

https://nodejs.org/dist/v0.12.9/docs/api/tls.html#tls_tls_connect_options_callback

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "1";
var tls = require('tls');
var fs = require('fs');
var constants = require('constants');
var util = require('util');

var options = {
    host: 'localhost',
    strictSSL: true,
    ca: [fs.readFileSync('trusted1.pem'), fs.readFileSync('trusted2.pem') ],
    rejectUnauthorized: true, // Trust to listed certificates only. Don't trust even google's certificates.
    secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
    secureProtocol: 'SSLv23_method',
    ciphers: 'ECDHE-RSA-AES128-SHA256'
};

var socket = tls.connect(3001, options, function() {
    console.log('client connected',
        socket.authorized ? 'authorized' : 'unauthorized',
        socket.encrypted ? 'encrypted' : 'unencrypted',
        '\nCipher: ' + util.inspect(socket.getCipher()),
        '\nCert Info: \n' + util.inspect(socket.getPeerCertificate(true)));
    //process.stdin.pipe(socket);
    //process.stdin.resume();
});
@AliShire
Copy link

@AliShire AliShire commented Oct 10, 2016

really it sound all your problems is your client system has no SSL certificate configuration
first configure your systems openSsl ands then add your request whether is get or post to process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; it would work inshaa Allah

@saurabh1gupta
Copy link

@saurabh1gupta saurabh1gupta commented Dec 13, 2016

Hi there,

I'm facing the similar issue but only in "POST" method while "GET" is working fine. Here are the detailed information:

Test Code:

`
var frisby = require('frisby');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

var CONF = process.env['CONF'];
var config = require('../config/' + CONF);
var data = require('../tests_data/batch_data.json');

frisby.globalSetup({
request: {
strictSSL: false,
rejectUnauthorized: false,
headers: {'Authorization': 'token'},
inspectOnFailure: true
}
});

frisby.create('Test#1: Sunny Day scenario')
.post(config.api_url + data.api_endpoint, data.test_strace, {rejectUnauthorized: false}, {json: true})
.inspectHeaders()
.inspectRequest()
.inspectJSON()
.expectJSON(data.batch_test_response_1)
.toss();
`

Execution Error:
Error-1
Message: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT Stacktrace: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT at _jsonParse (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1219:11) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:650:20) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1074:43) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

Error-2

Message: TypeError: Cannot read property 'headers' of undefined Stacktrace: TypeError: Cannot read property 'headers' of undefined at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:894:20) at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:940:8) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1112:18) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

What should be updated here to fix these issues?

Thanks

@mateomarin
Copy link

@mateomarin mateomarin commented Jan 20, 2017

add this and it should solve it:

https.globalAgent.options.rejectUnauthorized = false;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet