New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: DEPTH_ZERO_SELF_SIGNED_CERT #418

Closed
maiko-rocha opened this Issue Jan 22, 2013 · 51 comments

Comments

Projects
None yet
@maiko-rocha

maiko-rocha commented Jan 22, 2013

I'm using self-signed test certificates in my apache2 server and when I call request I get the following error:

Error: DEPTH_ZERO_SELF_SIGNED_CERT

I'm using the following code below to test it. Notice that I'm also using needle and it works with the rejectUnauthorized=true option. I could not find an equivalent on request (I've tried strictSSL=false but I guess that's the default). I couldn't find any other samples related do the problem either.

var request = require('request'),
    needle = require('needle');

request('https://127.0.0.1', function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("REQUEST:"+body);
  } else {
    console.error("REQUEST: "+error)
  }
});

needle.get('https://127.0.0.1',{rejectUnauthorized:false},function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log("NEEDLE:"+body);
  }
});
@alindsay55661

This comment has been minimized.

alindsay55661 commented Mar 22, 2013

Same problem here. Using node v0.10.1 and latest request version.

@niftylettuce

This comment has been minimized.

niftylettuce commented Apr 13, 2013

same issue here using v0.10.2

@jesusprubio

This comment has been minimized.

jesusprubio commented Apr 22, 2013

The same problem in v0.11.1-pre. I need to accept invalid certificates because I'm developing a security tool.

@client = tls.connect @port, @target, {rejectUnhauthorized : false}, =>
@client.write message
@client.setEncoding 'utf-8'

@weisjohn

This comment has been minimized.

weisjohn commented Apr 23, 2013

The code you need is:

request({ url : 'https://127.0.0.1', rejectUnhauthorized : false }, function...

Edit: I removed the lame comment that I made, cause, that's just lame of me....

@niftylettuce

This comment has been minimized.

niftylettuce commented Apr 26, 2013

rejectUnauthorized: false

@dankohn

This comment has been minimized.

dankohn commented Apr 29, 2013

rejectUnauthorized: false did not work for me. Instead, adding the following removed the error:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" // Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs
@cliffano

This comment has been minimized.

cliffano commented May 7, 2013

I can verify that NODE_TLS_REJECT_UNAUTHORIZED=0 works for me, but rejectUnauthorized: false does not.
Using node v0.10.1

@case

This comment has been minimized.

case commented May 8, 2013

@dankohn & @cliffano +1 for your suggestions here.

@cliffano

This comment has been minimized.

cliffano commented May 9, 2013

@case NODE_TLS_REJECT_UNAUTHORIZED is only an escape hatch to revert to old behaviours (allowing invalid and self-signed certs) according to nodejs/node-v0.x-archive#4023 , so it's just a workaround for me to get self-signed cert working.
So it looks like rejectUnauthorized: false is not doing what it's supposed to be doing.

@mikeal

This comment has been minimized.

Member

mikeal commented May 9, 2013

We know that, in many cases, {rejectUnauthorized:false} works and in some others it appears not to propagate to core. The question need to answer is "is there an edge case where request does not set this option properly or is core not observing the option properly in some edge cases?"

I need a fully reproducible test in order to answer that question.

@case

This comment has been minimized.

case commented May 9, 2013

Unfortunately I don't have a test case, but this might be helpful:

  • the server I'm talking to requires SSLv3 for some reason (python code for reference; I was seeing the same error in Node)
  • this is how I'm forcing SSLv3 (which I couldn't find a way to do in Request): https.globalAgent.options.secureProtocol = 'SSLv3_method';
@jksdua

This comment has been minimized.

jksdua commented Aug 21, 2013

Hey guys,

Thanks to everyone who works on the library. I was trying to use self-signed cert for some testing and get the same error. I've included details below. Let me know if you need anything else. I've tried all combinations of using strictSSL and rejectUnauthorized but it doesn't seem to work.

Node version: 0.10.10
OS: Windows 7 x64
OpenSSL: Win32 1.0.1e
Cert generated using:
openssl genrsa –out priv.pem 1024
openssl req -x509 -new -key priv.pem -days 3650 -out cert.crt

Code for creating server

var https = require('https');
var express = require('express');
var app = express();
var credentials = {
    key: fs.readFileSync(__dirname + '/priv.pem', 'utf8'),
    cert: fs.readFileSync(__dirname + '/cert.crt', 'utf8')
};
var server = https.createServer(credentials, app);
server.listen(3000);

Using request like so:

var request = require('request');
request.defaults({
    strictSSL: false, // allow us to use our self-signed cert for testing
    rejectUnauthorized: false
});
request('https://localhost:3000', function(err) {
    console.error(err); // outputs the zero_depth error
});
@ofirsh

This comment has been minimized.

ofirsh commented Sep 19, 2013

@dankohn worked for me

@jokesterfr

This comment has been minimized.

jokesterfr commented Sep 26, 2013

With request@2.27.0 and nodejs v0.10.15 rejectUnauthorized: false still not work, I still have to use this hack:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"

Which is ugly, because I would like to check validity and accept self signed certificates.

@dscape

This comment has been minimized.

dscape commented Nov 19, 2013

Found the problem while writing a test but was unable to replicate.

@JeffML

This comment has been minimized.

JeffML commented Dec 19, 2013

Had an interesting occurrence of this problem. Set strictSSL: false, which worked on one box but not on another (rejectUnauthorized=false failed as well). @dankohn's suggestion worked.

@jhfoo

This comment has been minimized.

jhfoo commented Jan 30, 2014

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Works for restler as well.

@kkarloe

This comment has been minimized.

kkarloe commented Apr 22, 2014

I was able to get it to work using rejectUnauthorized: false (node v0.10.26)

mcollina added a commit to mqttjs/MQTT.js that referenced this issue May 23, 2014

@syzer

This comment has been minimized.

syzer commented Jul 2, 2014

i know is closed and merged
but maybe worth mentioning that:
some 3rd party libs still depend on request and use without rejectUnauthorized: false

johnfriz pushed a commit to Strongbow-review/fh-fhc that referenced this issue Jul 9, 2014

@seanstrom

This comment has been minimized.

Contributor

seanstrom commented Oct 15, 2014

I'll be closing this issue
If this is still a problem for anyone I'll re-open it.
Let me know

@seanstrom seanstrom closed this Oct 15, 2014

@webduvet

This comment has been minimized.

webduvet commented Oct 17, 2014

still a issue here v10.0.32
when trying process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
i get:
_stream_readable.js:748
throw new Error('Cannot switch to old mode now.');

@seanstrom

This comment has been minimized.

Contributor

seanstrom commented Oct 17, 2014

@webduvet can you give us a code sample?
That will help us debug this problem

@webduvet

This comment has been minimized.

webduvet commented Oct 17, 2014

@seanstrom sure, it was very simple sample from nodejs doc.

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
var tls = require('tls');
var fs = require('fs');
var options = {
  cert: fs.readFileSync('test-cert.pem'),
  strictSSL: false
};
var cleartextStream = tls.connect(8000, options, function() {
  console.log('client connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  process.stdin.pipe(cleartextStream);
  process.stdin.resume();
});
@jandrieu

This comment has been minimized.

jandrieu commented Apr 30, 2015

@seanstrom I'm still getting this error when trying to use self-signed certs.

Thing is, rejectUnauthorized: false turns off all verification, right? Because it works even if I don't provide a PEM or key or list of accepable certs. I need to provide a cert (or key) and have the request engine support actually check the cert list.

@nylen

This comment has been minimized.

Member

nylen commented May 4, 2015

Yes, rejectUnauthorized: false or strictSSL: false are not ideal solutions because they turn off all certificate verification. It's possible to add your own CAs for self-signed or unrecognized certificates though. Have a look at our HTTPS tests for an example of how to do this: https://github.com/request/request/blob/master/tests/test-https.js

@jandrieu

This comment has been minimized.

jandrieu commented May 6, 2015

Thanks, Nylen. That test helped clear up what we were doing wrong. We were using self-signed certs, rather than first creating a self-signed CA and then using that CA to sign the server cert. That's what I thought we were doing, but we weren't.

@Dzenly

This comment has been minimized.

Dzenly commented Jan 20, 2016

For those who wish to understand a principle.

https://nodejs.org/dist/v0.12.9/docs/api/tls.html#tls_tls_connect_options_callback

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "1";
var tls = require('tls');
var fs = require('fs');
var constants = require('constants');
var util = require('util');

var options = {
    host: 'localhost',
    strictSSL: true,
    ca: [fs.readFileSync('trusted1.pem'), fs.readFileSync('trusted2.pem') ],
    rejectUnauthorized: true, // Trust to listed certificates only. Don't trust even google's certificates.
    secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
    secureProtocol: 'SSLv23_method',
    ciphers: 'ECDHE-RSA-AES128-SHA256'
};

var socket = tls.connect(3001, options, function() {
    console.log('client connected',
        socket.authorized ? 'authorized' : 'unauthorized',
        socket.encrypted ? 'encrypted' : 'unencrypted',
        '\nCipher: ' + util.inspect(socket.getCipher()),
        '\nCert Info: \n' + util.inspect(socket.getPeerCertificate(true)));
    //process.stdin.pipe(socket);
    //process.stdin.resume();
});
@AliShire

This comment has been minimized.

AliShire commented Oct 10, 2016

really it sound all your problems is your client system has no SSL certificate configuration
first configure your systems openSsl ands then add your request whether is get or post to process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; it would work inshaa Allah

@saurabh1gupta

This comment has been minimized.

saurabh1gupta commented Dec 13, 2016

Hi there,

I'm facing the similar issue but only in "POST" method while "GET" is working fine. Here are the detailed information:

Test Code:

`
var frisby = require('frisby');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

var CONF = process.env['CONF'];
var config = require('../config/' + CONF);
var data = require('../tests_data/batch_data.json');

frisby.globalSetup({
request: {
strictSSL: false,
rejectUnauthorized: false,
headers: {'Authorization': 'token'},
inspectOnFailure: true
}
});

frisby.create('Test#1: Sunny Day scenario')
.post(config.api_url + data.api_endpoint, data.test_strace, {rejectUnauthorized: false}, {json: true})
.inspectHeaders()
.inspectRequest()
.inspectJSON()
.expectJSON(data.batch_test_response_1)
.toss();
`

Execution Error:
Error-1
Message: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT Stacktrace: Error: Error parsing JSON string: Unexpected token D Given: Destination URL may be down or URL is invalid, Error: ESOCKETTIMEDOUT at _jsonParse (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1219:11) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:650:20) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1074:43) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

Error-2

Message: TypeError: Cannot read property 'headers' of undefined Stacktrace: TypeError: Cannot read property 'headers' of undefined at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:894:20) at Frisby.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:940:8) at null.<anonymous> (/usr/src/app/frisby_api/node_modules/frisby/lib/frisby.js:1112:18) at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)

What should be updated here to fix these issues?

Thanks

@mateomarin

This comment has been minimized.

mateomarin commented Jan 20, 2017

add this and it should solve it:

https.globalAgent.options.rejectUnauthorized = false;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment