Nodejs errors out with unable_to_verify_leaf_signature for some certificates

Question

I am trying to work with nodejs which sends some data to other servers. Nodejs is communicating with the other servers on https and nodejs verifies the other servers' certificates with the root certificates available. The requirement is the nodejs has to reject the un-authorized ones.

I am testing the above setup with some test servers. For one test server I have created a server certificate and is signed by a self signed CA certificate 'CA1.cer' using openSSL. For the other test server I have followed the same as the first test server, but using the makecert utility.

Now I have included both the CA certs in my nodejs code. The problem is nodejs is failing for the test server which has certs created using makecert utility. But the same code works with the test server which has the certs created using openSSL.

On the other hand both the servers goes fine on the browser without any cert errors..

My nodejs options are as below and I am on version v0.8.18:

var options = {
    host: host,
    port: port,
    path: pathname,
    method: 'POST',
    ca: [ fs.readFileSync('./ca1.cer'), //created using OpenSSL
          fs.readFileSync('./ca2.cer') ], // created using makecert util
    agent: false,
    requestCert: true,
    rejectUnauthorized: true,
    auth: cred,
    headers: {
        'Content-Type': 'text/xml',
        'Content-Length': xmldata.length
    }
};

Please help....

score 0 · Answer 1 · answered Nov 24 '13 at 14:03

0

To allow making request to the server with invalid SSL certificate, add to the options:

"rejectUnauthorized": false

answered Nov 24 '13 at 14:03

Andrzej Karpuszonak

8,896
2
38
50

1

Hi the certificate is valid as it is working with the browser. Looking for a reason why the certificate is failing only when using with nodejs. – Surender Panuganti Nov 24 '13 at 16:08
Internals of the issue with SSL certificate which causes the error you encountered is described here: http://blog.gaeremynck.com/fixing-unable_to_verify_leaf_signature/ – Andrzej Karpuszonak Nov 24 '13 at 18:08
Thanks for the comment. But in my case both the certificates are created in the similar way and I don't think there are any intermediate CAs involved. Moreover, the certificate created with OpenSSL works fine. The only differences I can see in the server certificates is that the OpenSSL cert is (version: V1, Signature Algorithm: sha1RSA, Serial No: 01, prublic key: 2048 bits and there is no "Authority Key Identifier" field). Makecert cert is (version: V3, Signature Algorithm: md5RSA, Serial No: , public key: 1024 bits and there is "Authority Key Identifier" field) – Surender Panuganti Nov 26 '13 at 04:24

score 0 · Accepted Answer · answered Dec 09 '13 at 07:48

0

The problem is resolved. The certificate created from makecert util was not in .pem format. Once converting into the .pem the above code is working. Thanks Andrei for the support.

answered Dec 09 '13 at 07:48

Surender Panuganti

333
1
5
14

Nodejs errors out with unable_to_verify_leaf_signature for some certificates

2 Answers2