Node.js https请求UNABLE_TO_GET_ISSUER_CERT_LOCALLY [英] Nodejs https request UNABLE_TO_GET_ISSUER_CERT_LOCALLY

问题描述

操作系统:debian sid

OS: debian sid

Nodejs:v0.10.38

Nodejs: v0.10.38

我有一个向使用身份验证的私人服务的请求:

I have a request to a private service that use authentication:

var https = require('https');

var options = {
    host: 'private.service.com',
    path: '/accounts/' + '123323' + '/orders',
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Content-Length': 0,
        'Authorization': 'Bearer ' + 'asdsdgcvxcvxcv'
    }
};

var request = https.request(options, function (res) {
    console.log(res);
});

当我运行脚本时，节点抛出此错误:

When i run the script, node throws this error:

events.js:72
    throw er; // Unhandled 'error' event
          ^
Error: UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    at SecurePair.<anonymous> (tls.js:1381:32)
    at SecurePair.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:980:10)
    at CleartextStream.read [as _read] (tls.js:472:13)
    at CleartextStream.Readable.read (_stream_readable.js:341:10)
    at EncryptedStream.write [as _write] (tls.js:369:25)
    at doWrite (_stream_writable.js:226:10)
    at writeOrBuffer (_stream_writable.js:216:5)
    at EncryptedStream.Writable.write (_stream_writable.js:183:11)
    at write (_stream_readable.js:602:24)

相同的脚本可以正常工作几个月，而且我确信身份验证是正确的.今天是我第一次遇到这种情况.

The same exact script worked well for months, and i'm sure the authentication is correct. Today is the first time i have this situation.

可能是导致此错误的原因?

推荐答案

使用SSL是有原因的.除其他功能外，它还可以验证您是否正在与由private.service.com主机名标识的服务器进行通信.否则，您的客户端软件可能会受到中间人攻击的欺骗.

There is a reason for SSL. Besides other features, it authenticates that you are really communicating with the server identified by private.service.com hostname. Otherwise your client software can be cheated by a Man-in-the-Middle attack.

首先，任何人遇到此问题时，都应更新系统根SSL证书.在Debian中，它们包含在ca-certificates apt-get软件包中.

First when anyone encounters this issue, they should update system root SSL certificates. In Debian they are contained in ca-certificates apt-get package.

如果没有帮助，则服务器可能使用了颁发者证书，默认情况下，该证书不受全球PKI基础结构信任.在这种情况下，客户端应将证书公钥签名与预共享值进行比较.这就是所谓的证书固定".

If it doesn't help, the server probably uses an issuer certificate, which is not trusted by default worldwide PKI infrastructure. In this case the client should compare the certificate public key signature with a preshared value. This is known as "certificate pinning".

具体针对您的错误，如果以前有效，则服务器证书可能已过期.服务器应将其续订.作为临时解决方案，您可以通过rejectUnauthorized选项关闭PKI验证.但是，您应该将其与固定方法一起使用.在NodeJS中，您可以从res.socket.getPeerCertificate().fingerprint获取服务器证书指纹.

Specifically to your error, if it worked before, it is possible that the server certificate has expired. The server should renew it. As a temporary solution, you can turn off PKI validation by rejectUnauthorized option. However you should use it together with the pinning approach. In NodeJS, you can get the server certificate fingerprint from res.socket.getPeerCertificate().fingerprint.

这篇关于Node.js https请求UNABLE_TO_GET_ISSUER_CERT_LOCALLY的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！