DEPTH_ZERO_SELF_SIGNED_CERT error in fetching publ...

Report Inappropriate Content · 01-17-2017 01:23 PM

Hi,

We setup a custom self signed certificate for signing JWT. This is set in edgemicro config as -

jwt_public_key: 'https://changedhost-changedenv.apigee.net/jwt/signing'

This works in all environments and has been working in all edgemicro versions. But for one of the new installations, we are getting the following error -

current nodejs version is v6.5.0 warning: jwt_public_key download from https://changedhost-changedenv.apigee.net/jwt/signing returned { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' } warning: error downloading config, please check bootstrap configuration { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' } failed to retieve config from gateway. continuing, will try cached copy.. { Error: self signed certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }

Can someone guide what could be the reason for this issue.

Thanks,

Jaskaran

Report Inappropriate Content

Any suggestions?

mdobsonapigee2

Hey Jaskaran,

Node typically doesn't like self signed certs unless you run your own CA, and have it properly set up to be used by node.

The error your seeing is node essentially throwing security errors because it's a plain self signed cert, or whatever CA needs to be in place isn't configured properly.

You can disable these errors by setting

NODE_TLS_REJECT_UNAUTHORIZED = "0"

as an environment variable though this means it will ignore ALL self signed issues that may pop up.

-Matt

Report Inappropriate Content

Thanks @Matthew Dobson

I had a look at this. But my understanding is the JWT signing certificate created by Apigee when an Edgemicro instance is created is also a self signed certificate.

And there is no specific instruction to have this flag turned off during setup.

Also, the behavior is not consistent across environments. It had been working for us in most environments. I tried replicating by playing with this environment variable but was not able to make it fail.

So, couple of further questions -

1) Can you suggest a way how this can be replicated.

2) Turning off this field might not be acceptable in production. Can edgemicro accept a configuration variable to turn this check off.

Thanks,

Jaskaran

mdobsonapigee2

Ah. I understand the problem now. We'll need to take a deeper look at this, and try and reproduce on our end then.

Are you on a free org, or a paid org when the certificate errors out?

-Matt

Report Inappropriate Content

We are on a free org.

But it works from one machine and not from another. As you rightly pointed out there is some environment level configuration. But I am struggling to reproduce it.

For our paid orgs, it has so far consistently i.e we haven't hit this issue yet.

mdobsonapigee2

Gotcha. So a few questions.

What is the edgemicro version you're using that has this issue? Is it for the version you describe?
Can you describe steps on how you generated your certificate, and configured it for use by edgemicro?

-Matt

mdobsonapigee2

Follow up question:

What happens when you hit that url directly https://changedhost-changedenv.apigee.net/jwt/signing from the browser, or curl?

williamssean

Hey Jaskaran,

Can you validate that you can successfully connect to https://changedhost-changedenv.apigee.net/jwt/signing via SSL with the following openssl command?

openssl s_client -connect https://changedhost-changedenv.apigee.net -tls1 -servername https://changedhost-changedenv.apigee.net

openssl s_client -connect https://changedhost-changedenv.apigee.net -ssl3 -servername https://changedhost-changedenv.apigee.net

francois-xavier

I had that exact same (un-helpful) message behind a corporate proxy for which I forgot to set https_proxy / http_proxy environment variables.

Report Inappropriate Content

This is now resolved. We had an issue with a firewall, so this error was bit odd. But after fixing that, we are able to start Edgemicro server.

Thanks All for your suggestions.

mdobsonapigee2

Great news. Let us know if anything pops up again.

-Matt

Report Inappropriate Content

Can you explain what was the issue with the firewall? I am struggling to fix this issue in one of our environments (the other ones is not reproduced).

Thanks in advance.

P.S. Also I setted up the environment variable NODE_TLS_REJECT_UNAUTHORIZED ="0" but this didn't worked.

Former Community Member

Can you please start a new thread? It will be helpful to know the problem details, environment etc.

Report Inappropriate Content

I just solved by installing the certificate in the machine.

DEPTH_ZERO_SELF_SIGNED_CERT error in fetching public jwt signing certificate