Node throwing "unable to verify the first certificate" error when fetching from api

server nginx ssl letsencrypt

9,493

The way I ended up fixing this, was by chaining my personal certificate with the intermediate certificate of the certificate authority. (I was doing it in the wrong order before)

For example, I have my sites certificate, and the intermediate certificate.

So I join them together into a chained cerficiate by putting the site one over the intermediate, like so, and now no UNABLE_TO_VERIFY_LEAF_SIGNATURE errors.

9,493

Donovan_DMC

BY DAY: A Regular Person Doing Regular Human Things. BY NIGHT: Still Just A Regular Person... I Code multiple websites, including my own info site, and A Discord bot in my free time. I do Javascript the majority of the time, I'm mixing in typescript with that now (and I love it). I'm learning Java bit by bit.

Updated on September 18, 2022

Comments

Donovan_DMC over 1 year
I've been running an api for myself through an nginx proxy, I haven't had any issues with it until today, when I reissued its certificate. The certificate is from Let's Encrypt, I've made the file I give nginx bundle of the client, intermediate, and root certificates.

I can access the api just fine with no warnings in the browser, but in node, I'm getting UNABLE_TO_VERIFY_LEAF_SIGNATURE, and in python, Cannot connect to host api.furry.bot:443 ssl:None [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

Nginx config for ssl:
```
##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_certificate     /etc/ssl/main.chained.crt;
ssl_certificate_key /etc/ssl/main.key;
ssl_ciphers         HIGH:!aNULL:!MD5;
```
The key matches with the first certificate in the chain, and the file is structured
server certificate
intermediate certificate
root certificate

I can't get it to work properly, I don't want to just disable ssl verification in my node app, and I can't edit the python implementation properly, I have a feeling it isn't getting the intermediate and root certificates properly, but I have no clue.

The servers nginx is proxying to are node express servers, and one flask server (which isn't relevant to this).

The config for the site in question is (all the other configs are basically the same, minus default_server of course):
```
server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ipv6only=on ssl;
    server_name furry.bot *.furry.bot;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
     }
}
```
the ssl is fully on the nginx side, everything behind the scenes is http.

This error is only appearing on the Ubuntu server where they are usually running, it's going through just fine with no errors on my local Windows Laptop.

(Do NOT do this.)
I've temporarily put
```
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
```
though I know this is a bad idea, I don't have any other options at this moment.