Nodejs https 请求 UNABLE_TO_GET_ISSUER_CERT_LOCALLY
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30651407/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Nodejs https request UNABLE_TO_GET_ISSUER_CERT_LOCALLY
提问by pietrovismara
OS: debian sid
操作系统:debian sid
Nodejs: v0.10.38
Nodejs:v0.10.38
I have a request to a private service that use authentication:
我有一个使用身份验证的私人服务的请求:
var https = require('https');
var options = {
host: 'private.service.com',
path: '/accounts/' + '123323' + '/orders',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': 0,
'Authorization': 'Bearer ' + 'asdsdgcvxcvxcv'
}
};
var request = https.request(options, function (res) {
console.log(res);
});When i run the script, node throws this error:
当我运行脚本时,节点抛出此错误:
events.js:72
throw er; // Unhandled 'error' event
^
Error: UNABLE_TO_GET_ISSUER_CERT_LOCALLY
at SecurePair.<anonymous> (tls.js:1381:32)
at SecurePair.emit (events.js:92:17)
at SecurePair.maybeInitFinished (tls.js:980:10)
at CleartextStream.read [as _read] (tls.js:472:13)
at CleartextStream.Readable.read (_stream_readable.js:341:10)
at EncryptedStream.write [as _write] (tls.js:369:25)
at doWrite (_stream_writable.js:226:10)
at writeOrBuffer (_stream_writable.js:216:5)
at EncryptedStream.Writable.write (_stream_writable.js:183:11)
at write (_stream_readable.js:602:24)
The same exact script worked well for months, and i'm sure the authentication is correct. Today is the first time i have this situation.
相同的脚本在几个月内运行良好,我确信身份验证是正确的。今天是我第一次遇到这种情况。
Which can be the cause for this error?
哪个可能是导致此错误的原因?
回答by pietrovismara
After some study i found that this is a problem of the server that i'm trying to make the https request to.
经过一番研究,我发现这是我试图向其发出 https 请求的服务器的问题。
Node https cannot find the ssl ISSUER_CERT on the private.service server and so it throw that exception.
节点 https 在 private.service 服务器上找不到 ssl ISSUER_CERT,因此它抛出该异常。
The solution i used, since i'm sure i can trust that server, was to add
我使用的解决方案,因为我确定我可以信任该服务器,因此添加
rejectUnauthorized: false
to the options of the https request, this way node will not throw an exception in case of certificates problem.
对于 https 请求的选项,这种方式节点不会在证书问题的情况下抛出异常。
Anyway this solution is valid only if you know you can trust the host of your request, otherwise it's probably not the best solution.
无论如何,只有当您知道可以信任请求的主机时,此解决方案才有效,否则它可能不是最佳解决方案。
回答by zakjan
There is a reason for SSL. Besides other features, it authenticates that you are really communicating with the server identified by private.service.comhostname. Otherwise your client software can be cheated by a Man-in-the-Middle attack.
SSL是有原因的。除了其他功能外,它还可以验证您是否真正与由private.service.com主机名标识的服务器进行通信。否则,您的客户端软件可能会被中间人攻击所欺骗。
First when anyone encounters this issue, they should update system root SSL certificates. In Debian they are contained in ca-certificatesapt-get package.
首先,当有人遇到此问题时,他们应该更新系统根 SSL 证书。在 Debian 中,它们包含在ca-certificatesapt-get 包中。
If it doesn't help, the server probably uses an issuer certificate, which is not trusted by default worldwide PKI infrastructure. In this case the client should compare the certificate public key signature with a preshared value. This is known as "certificate pinning".
如果没有帮助,则服务器可能使用颁发者证书,默认情况下,全球 PKI 基础结构不受信任。在这种情况下,客户端应将证书公钥签名与预共享值进行比较。这称为“证书固定”。
Specifically to your error, if it worked before, it is possible that the server certificate has expired. The server should renew it. As a temporary solution, you can turn off PKI validation by rejectUnauthorizedoption. However you should use it together with the pinning approach. In NodeJS, you can get the server certificate fingerprint from res.socket.getPeerCertificate().fingerprint.
特别是您的错误,如果它之前有效,则服务器证书可能已过期。服务器应该更新它。作为临时解决方案,您可以通过rejectUnauthorized选项关闭 PKI 验证。但是,您应该将它与固定方法一起使用。在 NodeJS 中,您可以从res.socket.getPeerCertificate().fingerprint.
回答by hectordetroya84
After a reasearch this solved the problem:
经过研究这解决了这个问题:
npm set strict-ssl=false
Hope it helps.
希望能帮助到你。
回答by cstroe
From this GitHub issue, use the following environment variable:
从这个 GitHub 问题,使用以下环境变量:
export NODE_EXTRA_CA_CERTS=/path/to/certfile.crt
After this, you can run any of the npmcommands and nodejs will trust your extra certificate file.
在此之后,您可以运行任何npm命令,nodejs 将信任您额外的证书文件。
The .crtfile is a file that contains a prefix line, the base64 encoded cert and a suffix line.
该.crt文件是一个包含前缀行、base64 编码证书和后缀行的文件。
If you don't have your root CA cert handy, you can generate the cert file from your URL, with the opensslcommand:
如果您手边没有根 CA 证书,则可以使用以下openssl命令从您的 URL 生成证书文件:
openssl s_client \
-showcerts \
-servername <host> \
-connect <host>:443 2>/dev/null </dev/null | \
openssl x509
Where <host>is the hostname of the url. For example, using google.comfor the host, the output looks something like this:
<host>url 的主机名在哪里。例如,google.com用于主机,输出如下所示:
-----BEGIN CERTIFICATE-----
MIIIIDCCBwigAwIBAgIQI/1aCHwDN94QFUhXJeIwODANBgkqhkiG9w0BAQsFADBU
(42 more lines)
E+Hv1bJSbOMSNCDzqRM3JUzvM6Y=
-----END CERTIFICATE-----
Save that as your .crtfile and add its path to the NODE_EXTRA_CA_CERTSenvironment variable and you're all set.
将其另存为您的.crt文件并将其路径添加到NODE_EXTRA_CA_CERTS环境变量中,您就完成了。
回答by Hosein Zarifi
when I was trying to install npm on Ubuntu 16 i got the same error. The following command worked for me.
当我尝试在 Ubuntu 16 上安装 npm 时,我遇到了同样的错误。以下命令对我有用。
npm config set registry http://registry.npmjs.org/
