Got: RequestError: unable to verify the first certificate

Created on 9 Aug 2020 · 13Comments · Source: sindresorhus/got

Describe the bug

Node.js version: 14.4.0
OS & version: windows 10

Actual behavior

(node:17936) UnhandledPromiseRejectionWarning: RequestError: unable to verify the first certificate
at ClientRequest. (C:\Users\karlo\Desktop\gotissue\node_modules\got\dist\source\coreindex.js:891:25)
at Object.onceWrapper (events.js:422:26)
at ClientRequest.emit (events.js:327:22)
at ClientRequest.origin.emit (C:\Users\karlo\Desktop\gotissue\node_modules\@szmarczak\http-timer\dist\sourceindex.js:39:20)
at TLSSocket.socketErrorListener (_http_client.js:467:9)
at TLSSocket.emit (events.js:315:20)
at emitErrorNT (internal/streams/destroy.js:100:8)
at emitErrorCloseNT (internal/streams/destroy.js:68:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
at TLSSocket.onConnectSecure (_tls_wrap.js:1496:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:931:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:705:12)

Expected behavior

Should work

Code to reproduce

const tunnel = require('tunnel');
const got = require('got').default;

(async () => {
  const { body } = await got('https://google.com', {
    https: {
      rejectUnauthorized: false,
    },
    headers: {
      'user-agent':
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36',
    },
    agent: {
      https: tunnel.httpsOverHttp({
        proxy: {
          host: 'localhost',
          port: 8888,
        },
      }),
    },
  });
  console.log(body);
})();

Checklist

[ ✓] I have read the documentation.
[ ✓] I have tried my code with the latest version of Node.js and Got.

Source

zedd3v

Most helpful comment

@szmarczak what can we do for self signed certificate then? All of my app uses system ca but got doesn't seem to honor it?

shirshak55 on 17 Nov 2020

👍2

All 13 comments

not a got issue

szmarczak on 9 Aug 2020

basically your proxy server is self signed

szmarczak on 9 Aug 2020

@szmarczak what can we do for self signed certificate then? All of my app uses system ca but got doesn't seem to honor it?

shirshak55 on 17 Nov 2020

👍2

got doesn't seem to honor it

Node.js has no such idea like "system certificates". ~You need to pass your own certificate via the https option.~

szmarczak on 17 Nov 2020

actually that won't work, because the issue is with the proxy and not the request

szmarczak on 17 Nov 2020

Please open an issue in the tunnel package repo instead.

szmarczak on 17 Nov 2020

@szmarczak its actually node issue i guess. Because when i do process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0" self signed certs work :( The issue is not with proxy i guess.

shirshak55 on 17 Nov 2020

Try

      https: tunnel.httpsOverHttp({
        proxy: {
          host: 'localhost',
          port: 8888,
        },
        rejectUnauthorized: false
      }),

szmarczak on 17 Nov 2020

By using NODE_TLS_REJECT_UNAUTHORIZED you tell Node.js to ignore the validity of the cerificates, meaning that every ceriticate is going to work, even the ones created by another CA.

Giotino on 17 Nov 2020

👍1

@szmarczak Sadly it doesn't have that option because of following definition. There is no such rejectUnauthorized here.

export function httpsOverHttp(options?: HttpsOverHttpOptions): Agent;
export interface HttpsOverHttpOptions extends HttpOptions {
    ca?: Buffer[];
    key?: Buffer;
    cert?: Buffer;
}
export interface HttpOptions {
    maxSockets?: number;
    proxy?: ProxyOptions;
}
export interface HttpOptions {
    maxSockets?: number;
    proxy?: ProxyOptions;
}
export interface HttpsProxyOptions extends ProxyOptions {
    ca?: Buffer[];
    servername?: string;
    key?: Buffer;
    cert?: Buffer;
}

@Giotino
sure but I only need when I am debugging in my code using self signed mitm proxy and there is no solution right?

shirshak55 on 17 Nov 2020