如何配置axios以使用SSL证书? [英] How to configure axios to use SSL certificate?

问题描述

我正在尝试使用axios向api端点发出请求，但出现以下错误:Error: unable to verify the first certificate

I'm trying to make a request with axios to an api endpoint and I'm getting the following error: Error: unable to verify the first certificate

axios使用的https模块似乎无法验证服务器上使用的SSL证书.

It seems the https module, which axios uses, is unable to verify the SSL certificate used on the server.

使用浏览器访问服务器时，证书有效，我可以查看/下载该证书.我还可以通过https向浏览器上的api发出请求.

When visiting the server with my browser, the certificate is valid and I can see/download it. I can also make requests to the api on my browser through https.

我可以通过关闭验证来解决此问题.该代码有效.

I can work around it by turning off verification. This code works.

const result = await axios.post(
    `https://${url}/login`,
    body,
    {
      httpsAgent: new https.Agent({
        rejectUnauthorized: false
      })
    }
  )

问题是，这不验证SSL证书，因此打开了安全漏洞.

Problem is, this doesn't verify the SSL certificate and therefore opens up security holes.

如何配置axios以信任证书并正确验证它?

How can I configure axios to trust the certificate and correctly verify it?

推荐答案

古老的问题，但为那些落在这里的人吸引.没有专家.请咨询您当地的安全专家，否则不可以.

Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.

Axios是一个http(s)客户端，并且http客户端通常以匿名方式参与TLS.换句话说，服务器接受他们的连接，而不标识谁在尝试连接.这与互助TLS(Mutual TLS)不同，在服务器和客户端之间完成握手之前，相互验证.

Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.

互联网是一个令人恐惧的地方，我们希望保护我们的客户免于连接到欺骗性的公共端点.为此，我们确保客户在发送任何私有数据之前先识别服务器.

The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.

// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE
const httsAgent = new https.Agent({ rejectUnauthorized: false });

这经常被发布(并且更令人发指)，作为关于任何语言的https客户端连接失败的StackOverflow的答案.更糟糕的是，它通常可以正常工作，可以解除开发人员的封锁，而他们会以快乐的方式前进.但是，尽管他们一定进入了门，但它是谁的门?由于他们选择不验证服务器的身份，因此可怜的客户端无法知道他们刚刚与公司Intranet建立的连接是否有不良行为者在监听.

This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what's worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server's identity, their poor client has no way of knowing if the connection they just made to the company's intranet has bad actors listening on the line.

如果服务具有公共SSL证书，则通常不需要进一步配置https.Agent，因为您的操作系统提供了一组公用的公共信任的CA证书.通常，这是您的浏览器配置为使用的同一组CA证书，这就是默认axios客户端可以访问 https://google.com的原因. 大惊小怪.

If the service has a public SSL cert, the https.Agent usually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.com with little fuss.

如果该服务具有私有SSL证书(出于测试目的而自行签名，或者由公司的私有CA签名以保护其内部机密)，则必须将https代理配置为信任用于签署服务器证书的私有CA:

If the service has a private SSL cert (self signed for testing purposes or one signed by your company's private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:

const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE });

，其中MY_CA_BUNDLE是.pem格式的CA证书数组.

where MY_CA_BUNDLE is an array of CA certs in .pem format.

这篇关于如何配置axios以使用SSL证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！