1

I'm getting following error while reading SSL cert file from GCP Cloud Storage.

* Connected to [my.website.com] (A.b.C.D) port 443 (#0)
* found 6 certificates in /home/<username>/[CAINFO].crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 key or certificate file: Error while reading file.
* Closing connection 0
Error: SSL connect error
    at Error (native)
file."

Here's what I'm doing.

  1. In NodeJS code, I'm pinging an API end point while authenticating with SSL certs
  2. I have an SSL cert stored in GCP Cloud Storage and made it Public (just for testing) following instructions given here.
  3. Instructions to access this object is given here.

  4. Using gsutil, I am able to access the cert.

    $ gsutil ls -r gs://[BUCKET_NAME]/[SSLCERT].pem gs://[BUCKET_NAME]/[SSLCERT].pem

  5. When I access the SSL cert from NodeJS code, I get above error. The URL to access the file is: http://storage.googleapis.com/[BUCKET_NAME]/[SSLCERT].pem

  6. Instead of Cloud Storage, if I access the cert from local disk and run NodeJS code, it works fine. So, the cert is valid.

Outline of my code:

const Curl = require('node-libcurl').Curl;
const curl = new Curl();

const URL = 'https://api-end-point.com';

// let sslcert = '/home/path/to/[SSLCERT].pem';  << this works
let sslcert = 'http://storage.googleapis.com/[BUCKET_NAME]/[SSLCERT].pem';  << NOT working

curl.setOpt('URL', URL);
... 
curl.setOpt('SSLCERT', sslcert);
... 

curl.on('end', function(statusCode, body, headers) {

    console.info("Status Code: " + statusCode);
    console.info(body.length);
    this.close();
}); 

curl.on('error', (err) => {
    console.log(err);
}); 

curl.perform();
Bhaskar
  • 2,549
  • 1
  • 21
  • 23
  • So, you're expecting that `http://storage.googleapis.com/[BUCKET_NAME]/[SSLCERT].pem` to download a file? Does it, if you just access it directly with that url in a browser or some other way? – Doug Stevenson Jan 30 '19 at 15:24
  • @DougStevenson when I access URL from browser, the file is downloaded. So, the "Public" access part is working. I set the SSLCERT option in node-libcurl to pick the cert from this URL when doing cURL call. This is not happening (based on error message). – Bhaskar Jan 30 '19 at 17:39
  • Another thing I noticed is, when I do a plain cURL from a Linux command line to this URL, it fails with `Recv failure: Connection reset by peer`. However, cURL succeeds in another machine (MacOS). Linux has cURL version 7.47.0 while MacOS has 7.54.0. – Bhaskar Jan 30 '19 at 17:40
  • Most likely you have not installed cacert.pem on your local machine: http://curl.haxx.se/docs/sslcerts.html Download cacert.pem: https://curl.haxx.se/ca/cacert.pem – John Hanley Jan 31 '19 at 09:14

0 Answers0