Hi,
We setup a custom self signed certificate for signing JWT. This is set in edgemicro config as -
jwt_public_key: 'https://changedhost-changedenv.apigee.net/jwt/signing'
This works in all environments and has been working in all edgemicro versions. But for one of the new installations, we are getting the following error -
current nodejs version is v6.5.0 warning: jwt_public_key download from https://changedhost-changedenv.apigee.net/jwt/signing returned { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' } warning: error downloading config, please check bootstrap configuration { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' } failed to retieve config from gateway. continuing, will try cached copy.. { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }
Can someone guide what could be the reason for this issue.
Thanks,
Jaskaran
Any suggestions?
Hey Jaskaran,
Node typically doesn't like self signed certs unless you run your own CA, and have it properly set up to be used by node.
The error your seeing is node essentially throwing security errors because it's a plain self signed cert, or whatever CA needs to be in place isn't configured properly.
You can disable these errors by setting
NODE_TLS_REJECT_UNAUTHORIZED = "0"
as an environment variable though this means it will ignore ALL self signed issues that may pop up.
-Matt
Thanks @Matthew Dobson
I had a look at this. But my understanding is the JWT signing certificate created by Apigee when an Edgemicro instance is created is also a self signed certificate.
And there is no specific instruction to have this flag turned off during setup.
Also, the behavior is not consistent across environments. It had been working for us in most environments. I tried replicating by playing with this environment variable but was not able to make it fail.
So, couple of further questions -
1) Can you suggest a way how this can be replicated.
2) Turning off this field might not be acceptable in production. Can edgemicro accept a configuration variable to turn this check off.
Thanks,
Jaskaran
Ah. I understand the problem now. We'll need to take a deeper look at this, and try and reproduce on our end then.
Are you on a free org, or a paid org when the certificate errors out?
-Matt
We are on a free org.
But it works from one machine and not from another. As you rightly pointed out there is some environment level configuration. But I am struggling to reproduce it.
For our paid orgs, it has so far consistently i.e we haven't hit this issue yet.
Gotcha. So a few questions.
-Matt
Follow up question:
Hey Jaskaran,
Can you validate that you can successfully connect to https://changedhost-changedenv.apigee.net/jwt/signing via SSL with the following openssl command?
openssl s_client -connect https://changedhost-changedenv.apigee.net -tls1 -servername https://changedhost-changedenv.apigee.net
openssl s_client -connect https://changedhost-changedenv.apigee.net -ssl3 -servername https://changedhost-changedenv.apigee.net
I had that exact same (un-helpful) message behind a corporate proxy for which I forgot to set https_proxy / http_proxy environment variables.
This is now resolved. We had an issue with a firewall, so this error was bit odd. But after fixing that, we are able to start Edgemicro server.
Thanks All for your suggestions.
Great news. Let us know if anything pops up again.
-Matt
Can you explain what was the issue with the firewall? I am struggling to fix this issue in one of our environments (the other ones is not reproduced).
Thanks in advance.
P.S. Also I setted up the environment variable NODE_TLS_REJECT_UNAUTHORIZED ="0" but this didn't worked.
Can you please start a new thread? It will be helpful to know the problem details, environment etc.
I just solved by installing the certificate in the machine.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |