NodeJS UNABLE_TO_VERIFY_LEAF_SIGNATURE [英] NodeJS UNABLE_TO_VERIFY_LEAF_SIGNATURE
问题描述
我们正在尝试使用 Node.js(和 Mocha)作为测试框架,通过 https 测试针对内部服务器的 API 调用.我们使用以下节点模块:Mocha、Restify 和 Should 来执行这些测试.
We're trying to use Node.js (and Mocha) as a testing framework to test API calls against an internal server over https. We're using the following node modules: Mocha, Restify, and Should to perform these tests.
当我们运行 mocha testFileName.js 时,我们返回的主要错误是:
When we run mocha testFileName.js, the major error we get back is:
[2013-06-19 14:16:28.105] [ERROR] console - FAIL: Received error! [Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE]
Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
at SecurePair.<anonymous> (tls.js:1283:32)
at SecurePair.EventEmitter.emit (events.js:92:17)
at SecurePair.maybeInitFinished (tls.js:896:10)
at CleartextStream.read [as _read] (tls.js:430:15)
at CleartextStream.Readable.read (_stream_readable.js:320:10)
at EncryptedStream.write [as _write] (tls.js:344:25)
at doWrite (_stream_writable.js:219:10)
at writeOrBuffer (_stream_writable.js:209:5)
at EncryptedStream.Writable.write (_stream_writable.js:180:11)
at write (_stream_readable.js:573:24)
at flow (_stream_readable.js:582:7)
at Socket.pipeOnReadable (_stream_readable.js:614:5)
at Socket.EventEmitter.emit (events.js:92:17)
at emitReadable_ (_stream_readable.js:408:10)
at emitReadable (_stream_readable.js:404:5)
at readableAddChunk (_stream_readable.js:165:9)
at Socket.Readable.push (_stream_readable.js:127:10)
at TCP.onread (net.js:511:21)
在 google 和 stackexchange 上搜索后,我们似乎遇到了证书问题.从那里我们安装了内部 CA公共"证书,以及我们的应用程序正在使用的特定于实例的证书(有多个重定向要通过),以
After searching google and stackexchange it would seem that we have a certificate problem. From there we installed internal CA 'public' cert, as well as the instance specific certifications that our app is using (there are multiple redirects to get through), to
/usr/local/etc/openssl/certs, legacy: /System/Library/Keychains/X509Anchors, /Library/Keychains/System.keychain, as well as in Keychain through the gui to our login and System keychains. However, we're still not getting anywhere.
在这些地方安装证书之前,我们无法在命令行上卷曲"我们的网站而不会出现证书错误;然而,现在安装它们后,我们没有出现任何错误,但节点仍然爆炸.
Before installing the certs in these places, we couldn't 'curl' our site without certificate errors on command-line; however, with them installed now we get no errors, but node still explodes.
我们尝试了多个版本的 Node、OpenSSL,以及不同的安装方法,包括下载软件包与使用自制软件.
We've tried multiple versions of Node, OpenSSL, as well as varying installation methods including downloading the package vs. using homebrew.
计算机信息:
- Mac OS X 10.8.4(也尝试过 10.8.3)
- Node v0.8.18(也尝试过:Node v0.10.11、v0.10.12)
- OpenSSL v1.0.1e(也尝试过 0.9.8)
Node.js 是否使用自己(捆绑)版本的 OpenSSL 而不是本地机器上安装的版本?如果是这样,它在哪里寻找证书?TLS.js 会告诉 Node 去别处寻找证书吗?是否有一种实用的方法来覆盖所使用的证书;似乎我们可以使用以下选项:
Does Node.js use its own (bundled) version of OpenSSL instead of what's installed on the local machine? If that's the case, where is it looking for certificates? Could the TLS.js be telling Node to look elsewhere for certs? Is there a pragmatic approach to overwriting the the certificates used; it appears there might be options we can use like this:
var options = {
ca: fs.readFileSync("[path to our CA cert file]"),
requestCert: true,
rejectUnauthorized: true
};
var req = https.request(options, function(res) {
...
});
但这会产生我们同样的错误.
But this generates our same error.
推荐答案
UNABLE_TO_VERIFY_LEAF_SIGNATURE
问题是您正试图从带有错误或不受信任的 SSL[安全套接字层] 证书的存储库安装模块.如果您在一家为内部存储库自行签署证书的公司工作,这种情况并不少见.
The problem is that you are attempting to install a module from a repository with a bad or untrusted SSL[Secure Sockets Layer] certificate. That is not uncommon if you work at a company that self signs its certificates for internal repositories.
要解决此问题,您可以运行以下命令:
To work around this issue, you can run the following command:
npm config set strict-ssl false
作为最佳实践,明智的做法是将其设置回真正的后记,这样您就不会意外安装您实际上不信任的不受信任的模块.
As a best practice, it is wise to set it back to true afterwords so you do not accidentally install an untrusted module that you actually do not trust.
这篇关于NodeJS UNABLE_TO_VERIFY_LEAF_SIGNATURE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
