Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Root CA not recognized when the file contains two CAs #4096

Closed
catamphetamine opened this issue Dec 1, 2015 · 2 comments
Closed

TLS Root CA not recognized when the file contains two CAs #4096

catamphetamine opened this issue Dec 1, 2015 · 2 comments
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@catamphetamine
Copy link

Yandex LLC (Yandex.Money) has a CA:

subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Issuing CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJSVTEY
MBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkg
Um9vdCBDQTAeFw0xMzAxMTgxMzUyMTJaFw0xODAxMTcxMzUyMTJaMEkxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxIDAeBgNVBAMTF1lhbmRl
eCBNb25leSBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN
GJm1Clk6TQA0nd+FJMYaQLj58puo7dzaOSjkBex2FiQfD/DjJ3c+rBArKQO2xdEB
tnbYXsfPIx5UeqEIWAXeIV03aP5PFJgQvSCOUZc3NJ1peVc4pfIhjQ3vuULVpmUD
zLaSXkbquGCPGORnlIBcE9YFCfxWe5X/uIhkE5D8AQIDAQABo4IBODCCATQwHQYD
VR0OBBYEFOYs54hVacgsOj12YBbjVtpeMpLcMHYGA1UdIwRvMG2AFCUMTTkJAIhu
s3EnCL6nJyB6oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFu
ZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmy
njdSMAwGA1UdEwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMu
eWFtb25leS5ydS95bS5jcmwwCwYDVR0PBAQDAgEGMBAGCSsGAQQBgjcVAQQDAgEC
MCMGCSsGAQQBgjcVAgQWBBSef2laqr3b8E7GfhqWqtJanSJtrTAZBgkrBgEEAYI3
FAIEDB4KAFMAdQBiAEMAQTANBgkqhkiG9w0BAQUFAAOCAQEAjq8fKq/JMni/Yozn
x/JE3Q1jcYqxkew6maKCayyJAYTDbBEz6nQFOKCj0Il5Bk6RDyt2lOAkKYzumuZ7
YNF7VKf2aGoSLr7aC6ODaSdgI2snYhyOZv3625Y1L89evxQLK/wJdEd2Z0/IsUid
VOLg3Ms4eOD8etMc+lLNW7VW2v4IqPC9POak4yMGjed33ee6XU+QDI43snse+N58
qYQWXH4UK8T7yYPVgF5yXBE4HBNaGQ+qEJ61oC4QAbq3mgp8MoYB1J9yjnD5g1cT
q/104c9iRSYRmVtx0ifdJN2zDirwPLiRNzN6aNZNyI7VYeiabnW2wXf6u2/KwEpX
3Mce+g==
-----END CERTIFICATE-----

subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIJAJjDBQmynjdSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxHTAbBgNVBAMTFFlhbmRl
eCBNb25leSBSb290IENBMB4XDTEzMDExODEzNDIxNloXDTIzMDExNjEzNDIxNlow
RjELMAkGA1UEBhMCUlUxGDAWBgNVBAoTD1BTIFlhbmRleC5Nb25leTEdMBsGA1UE
AxMUWWFuZGV4IE1vbmV5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDDFBsDMxIC5BdNHQ+VxFjF3P6fVzDwF/4W6qCaXSc29PF5msWAqZoU
/irwqaY5Hnzp2/tShQVxac2Gel59r9fN1tiuR1fT1y709vYg2sj/4Bwc/n9HJ3NS
6f5FEEJu62PawhD1XUbbXDAvFeQA5vAHmxKggE2WGRkZZCcoGcaEipvlL2oAE4HV
jW+nSn8RQvkB8hXxMXZKeKNRzHCK52Icelc1Oip0f4jPetbtduXUowAIJdyWwP3y
JKwzjtsSsBic4BWzTA0fifQN3Vxy+YPfF8jw8xkBdgEPTmWbJ83G2Jc98mYEji9b
83YPAn1OgQXn0wYHTyfzO7EhTj7voP5zAgMBAAGjgeUwgeIwHQYDVR0OBBYEFCUM
TTkJAIhus3EnCL6nJyB6oy0QMHYGA1UdIwRvMG2AFCUMTTkJAIhus3EnCL6nJyB6
oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5
MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmynjdSMAwGA1Ud
EwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMueWFtb25leS5y
dS95bS5jcmwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAJcYTLHZgw
rsm1htBDq2YZxAqIN+dvQU9lY/tuQ/ggCL9JHkSyUbFtk8DsRWgYl9w0Y8f9HKYh
/nF6nYsfhSStIRMdyOMjfLGJp7esIqzyj0Sx88y8tnHSWs/Sls0lJIl4IS7YfHsZ
OZggRg/TGItwOtGcq6q7u19KreueVpfqAHwZygtwqf+Ic419TBpeOc6CuyFcwd2a
C4DhQKui58+sODqucGXkzSOeG97azuTFQ2Hnunv15+Jr/OwHQqKzieUf9+oBq5ZW
iQ3NHYUvgldVGW2fByvlgjG0tw6NrNwJEK0TEevgA8uNXE9FjaoqC/0+vsoQ4DMA
xsN5poPvsYTC
-----END CERTIFICATE-----

With this code it throws Error: SELF_SIGNED_CERT_IN_CHAIN

      const certFile = '/home/ops/yandex-kassa-tests/certs/yandex.cer'; // Certificate file
      const keyFile = '/home/ops/yandex-kassa-tests/certs/mieta.key';
      const caFile = '/home/ops/yandex-kassa-tests/certs/ym.pem';

      const options = {
        // url: url,
        headers: {'Content-Type': 'application/pkcs7-mime'},
        body: PKCSmsg,
        cert: fs.readFileSync(certFile),
        key: fs.readFileSync(keyFile),
        passphrase: 'XXXXXXXXX',
        ca: fs.readFileSync(caFile),
      }  

      // process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

      const result = request.postSync(url, options);
      return result.body;

However, when this CA is split into two separate parts and fed into options as an Array then it works:

options.ca = [
`subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Issuing CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJSVTEY
MBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkg
Um9vdCBDQTAeFw0xMzAxMTgxMzUyMTJaFw0xODAxMTcxMzUyMTJaMEkxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxIDAeBgNVBAMTF1lhbmRl
eCBNb25leSBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN
GJm1Clk6TQA0nd+FJMYaQLj58puo7dzaOSjkBex2FiQfD/DjJ3c+rBArKQO2xdEB
tnbYXsfPIx5UeqEIWAXeIV03aP5PFJgQvSCOUZc3NJ1peVc4pfIhjQ3vuULVpmUD
zLaSXkbquGCPGORnlIBcE9YFCfxWe5X/uIhkE5D8AQIDAQABo4IBODCCATQwHQYD
VR0OBBYEFOYs54hVacgsOj12YBbjVtpeMpLcMHYGA1UdIwRvMG2AFCUMTTkJAIhu
s3EnCL6nJyB6oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFu
ZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmy
njdSMAwGA1UdEwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMu
eWFtb25leS5ydS95bS5jcmwwCwYDVR0PBAQDAgEGMBAGCSsGAQQBgjcVAQQDAgEC
MCMGCSsGAQQBgjcVAgQWBBSef2laqr3b8E7GfhqWqtJanSJtrTAZBgkrBgEEAYI3
FAIEDB4KAFMAdQBiAEMAQTANBgkqhkiG9w0BAQUFAAOCAQEAjq8fKq/JMni/Yozn
x/JE3Q1jcYqxkew6maKCayyJAYTDbBEz6nQFOKCj0Il5Bk6RDyt2lOAkKYzumuZ7
YNF7VKf2aGoSLr7aC6ODaSdgI2snYhyOZv3625Y1L89evxQLK/wJdEd2Z0/IsUid
VOLg3Ms4eOD8etMc+lLNW7VW2v4IqPC9POak4yMGjed33ee6XU+QDI43snse+N58
qYQWXH4UK8T7yYPVgF5yXBE4HBNaGQ+qEJ61oC4QAbq3mgp8MoYB1J9yjnD5g1cT
q/104c9iRSYRmVtx0ifdJN2zDirwPLiRNzN6aNZNyI7VYeiabnW2wXf6u2/KwEpX
3Mce+g==
-----END CERTIFICATE-----
`
,
`subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIJAJjDBQmynjdSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxHTAbBgNVBAMTFFlhbmRl
eCBNb25leSBSb290IENBMB4XDTEzMDExODEzNDIxNloXDTIzMDExNjEzNDIxNlow
RjELMAkGA1UEBhMCUlUxGDAWBgNVBAoTD1BTIFlhbmRleC5Nb25leTEdMBsGA1UE
AxMUWWFuZGV4IE1vbmV5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDDFBsDMxIC5BdNHQ+VxFjF3P6fVzDwF/4W6qCaXSc29PF5msWAqZoU
/irwqaY5Hnzp2/tShQVxac2Gel59r9fN1tiuR1fT1y709vYg2sj/4Bwc/n9HJ3NS
6f5FEEJu62PawhD1XUbbXDAvFeQA5vAHmxKggE2WGRkZZCcoGcaEipvlL2oAE4HV
jW+nSn8RQvkB8hXxMXZKeKNRzHCK52Icelc1Oip0f4jPetbtduXUowAIJdyWwP3y
JKwzjtsSsBic4BWzTA0fifQN3Vxy+YPfF8jw8xkBdgEPTmWbJ83G2Jc98mYEji9b
83YPAn1OgQXn0wYHTyfzO7EhTj7voP5zAgMBAAGjgeUwgeIwHQYDVR0OBBYEFCUM
TTkJAIhus3EnCL6nJyB6oy0QMHYGA1UdIwRvMG2AFCUMTTkJAIhus3EnCL6nJyB6
oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5
MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmynjdSMAwGA1Ud
EwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMueWFtb25leS5y
dS95bS5jcmwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAJcYTLHZgw
rsm1htBDq2YZxAqIN+dvQU9lY/tuQ/ggCL9JHkSyUbFtk8DsRWgYl9w0Y8f9HKYh
/nF6nYsfhSStIRMdyOMjfLGJp7esIqzyj0Sx88y8tnHSWs/Sls0lJIl4IS7YfHsZ
OZggRg/TGItwOtGcq6q7u19KreueVpfqAHwZygtwqf+Ic419TBpeOc6CuyFcwd2a
C4DhQKui58+sODqucGXkzSOeG97azuTFQ2Hnunv15+Jr/OwHQqKzieUf9+oBq5ZW
iQ3NHYUvgldVGW2fByvlgjG0tw6NrNwJEK0TEevgA8uNXE9FjaoqC/0+vsoQ4DMA
xsN5poPvsYTC
-----END CERTIFICATE-----
`]

Is this some advanced RFC feature Node.js doesn't support?
@bnoordhuis
Copy link
Member

#4099

@bnoordhuis bnoordhuis added the tls Issues and PRs related to the tls subsystem. label Dec 1, 2015
@catamphetamine
Copy link
Author

Wow, you're lightning fast.
I guess it will be applied in the upcoming v5.1.1 then and for now we can close the issue.
(I posted this issue on behalf of my friend who doesn't know English)

bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Dec 8, 2015
@bnoordhuis
tls: support reading multiple cas from one input
82e0974 
Before this commit you had to pass multiple CA certificates as an array
of strings.  For convenience you can now pass them as a single string.

Fixes: nodejs#4096
PR-URL: nodejs#4099
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis added a commit that referenced this issue Dec 9, 2015
@bnoordhuis @rvagg
tls: support reading multiple cas from one input
80f7f65 
Before this commit you had to pass multiple CA certificates as an array
of strings.  For convenience you can now pass them as a single string.

Fixes: #4096
PR-URL: #4099
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
scovetta pushed a commit to scovetta/node that referenced this issue Apr 2, 2016
@bnoordhuis
tls: support reading multiple cas from one input
4585aaa 
Before this commit you had to pass multiple CA certificates as an array
of strings.  For convenience you can now pass them as a single string.

Fixes: nodejs#4096
PR-URL: nodejs#4099
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @catamphetamine