Error: DEPTH_ZERO_SELF_SIGNED_CERT

[maiko-rocha]

I'm using self-signed test certificates in my apache2 server and when I call request I get the following error:

Error: DEPTH_ZERO_SELF_SIGNED_CERT

I'm using the following code below to test it. Notice that I'm also using needle and it works with the rejectUnauthorized=true option. I could not find an equivalent on request (I've tried strictSSL=false but I guess that's the default). I couldn't find any other samples related do the problem either.

var request = require('request'),
    needle = require('needle');

request('https://127.0.0.1', function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("REQUEST:"+body);
  } else {
    console.error("REQUEST: "+error)
  }
});

needle.get('https://127.0.0.1',{rejectUnauthorized:false},function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("NEEDLE:"+body);
  }
});

[alindsay55661]

Same problem here. Using node v0.10.1 and latest request version.

[niftylettuce]

same issue here using v0.10.2

[jesusprubio]

The same problem in v0.11.1-pre. I need to accept invalid certificates because I'm developing a security tool.

@client = tls.connect @PORT, @target, {rejectUnhauthorized : false}, =>
@client.write message
@client.setEncoding 'utf-8'

[weisjohn]

The code you need is:

request({ url : 'https://127.0.0.1', rejectUnhauthorized : false }, function...

Edit: I removed the lame comment that I made, cause, that's just lame of me....

[niftylettuce]

rejectUnauthorized: false

[dankohn]

rejectUnauthorized: false did not work for me. Instead, adding the following removed the error:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" // Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs

[cliffano]

I can verify that NODE_TLS_REJECT_UNAUTHORIZED=0 works for me, but rejectUnauthorized: false does not.
Using node v0.10.1

[case]

@dankohn & @cliffano +1 for your suggestions here.

[cliffano]

@case NODE_TLS_REJECT_UNAUTHORIZED is only an escape hatch to revert to old behaviours (allowing invalid and self-signed certs) according to nodejs/node-v0.x-archive#4023 , so it's just a workaround for me to get self-signed cert working.
So it looks like rejectUnauthorized: false is not doing what it's supposed to be doing.

[mikeal]

We know that, in many cases, {rejectUnauthorized:false} works and in some others it appears not to propagate to core. The question need to answer is "is there an edge case where request does not set this option properly or is core not observing the option properly in some edge cases?"

I need a fully reproducible test in order to answer that question.

[case]

Unfortunately I don't have a test case, but this might be helpful:

• the server I'm talking to requires SSLv3 for some reason (python code for reference; I was seeing the same error in Node)
• this is how I'm forcing SSLv3 (which I couldn't find a way to do in Request): https.globalAgent.options.secureProtocol = 'SSLv3_method';

[jksdua]

Hey guys,

Thanks to everyone who works on the library. I was trying to use self-signed cert for some testing and get the same error. I've included details below. Let me know if you need anything else. I've tried all combinations of using strictSSL and rejectUnauthorized but it doesn't seem to work.

Node version: 0.10.10
OS: Windows 7 x64
OpenSSL: Win32 1.0.1e
Cert generated using:
openssl genrsa –out priv.pem 1024
openssl req -x509 -new -key priv.pem -days 3650 -out cert.crt

Code for creating server

var https = require('https');
var express = require('express');
var app = express();
var credentials = {
    key: fs.readFileSync(__dirname + '/priv.pem', 'utf8'),
    cert: fs.readFileSync(__dirname + '/cert.crt', 'utf8')
};
var server = https.createServer(credentials, app);
server.listen(3000);

Using request like so:

var request = require('request');
request.defaults({
    strictSSL: false, // allow us to use our self-signed cert for testing
    rejectUnauthorized: false
});
request('https://localhost:3000', function(err) {
    console.error(err); // outputs the zero_depth error
});

[ofirsh]

@dankohn worked for me