Node-solid-server: certificate problem on dev.inrupt.net

Created on 15 Mar 2019  路  9Comments  路  Source: solid/node-solid-server

Now try to do the same with an account on https://dev.inrupt.net. You will see the PUT results in a 500 error. I have no idea why :)

blocker bug cannot-reproduce regression

Most helpful comment

Changed the "sslCert" entry in /etc/solid/config.json from cert.pem to fullchain.pem and restarted NSS. That fixed it!

All 9 comments

I'm afraid this works for me too:

  solid:put /profile/card +15m
  solid:put succeded putting the file +1ms
  solid:get /profile/card on kjetiltest4.robin.kjernsmo.net +50s
  solid:put /profile/_1552695850000_.jpeg +28s
  solid:put succeded putting the file +11ms
  solid:get /profile/_1552695850000_.jpeg on kjetiltest4.robin.kjernsmo.net +531ms
InMemory { uris: {}, subscribers: {} }

Let's look at this tomorrow or Monday

The error logged is 'request to https://dev.inrupt.net/.well-known/openid-configuration failed, reason: unable to verify the first certificate'

Reproduced the error in the sense that https://dev.inrupt.net/.well-known/openid-configuration opens fine in the browser but curl https://dev.inrupt.net/.well-known/openid-configuration fails with a similar 'server certificate validation failed' warning, even from my laptop.

It even fails when using https://curl.haxx.se/docs/caextract.html which is odd. But in any case this is a server configuration problem related to either the LetsEncrypt cert on the site, or the cacert bundle of the box, and unrelated to NSS.

This gives some more information:
```sh
openssl s_client -connect dev.inrupt.net:443
CONNECTED(00000003)
depth=0 CN = dev.inrupt.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dev.inrupt.net
verify error:num=21:unable to verify the first certificate

verify return:1

Certificate chain
0 s:/CN=dev.inrupt.net

i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgISBGAf6o4DyoKqgXyV0mXk7nhbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAxMTcxMzA3NDRaFw0x
OTA0MTcxMzA3NDRaMBkxFzAVBgNVBAMTDmRldi5pbnJ1cHQubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZM7pbOqzgCAPKMg9ZVLlffIh1FbwNfq
5F1By595cGan3Yju8mMmhhEPBSMvVCiwEL+Icit/W3a/rpeyJw+ajmwheKhwmw9n
mnStwmoZsEGn+BKy5nK0H6h0C0srfeB+NEY9a+hrZ6hAm9D82pX5JxriYnJslbSI
ZecRhyp/rORTi3RMrBf3+dOh3Ftj+xnlFbf0thyFjjdkK8BSeZKiJF8T//B/pksI
baJU85Oi6DBZ9jFPS7okhA6E/0apiclra2u9nt/K7phLT9qBYX8tHO0f3fueSQJ1
Zno4XY/LH7QkdtdlAGXpHvEG9O2JOz6r/NGOqDwhXkN3xStkMWv0UQIDAQABo4IC
dTCCAnEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQN7JHUT10Zr6yZ0ImaEHegmcbO
azAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMCsGA1UdEQQkMCKCECouZGV2LmlucnVwdC5uZXSCDmRldi5pbnJ1cHQubmV0
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB
9QSB8gDwAHYA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFoXCOd
MgAABAMARzBFAiApXh2zBj+0JNLn/vtXqM7dJsAhsMf3GbLxbmdaJTuNxAIhAPPZ
sRcCUw7/WKiqWdPLCrFH371qzhL/k4T1zJox8cp5AHYAKTxRllTIOWW6qlD8WAfU
t2+/WHopctykwwz05UVH9HgAAAFoXCOfIgAABAMARzBFAiEAxtNI2YLeGAWwVUqK
tb/BEpVlkAjvnlVSXms5OzNN+zQCICTD7IfKtbbSArewF8ejeCi/Qy9aBjKG4MSb
qPdkVBcIMA0GCSqGSIb3DQEBCwUAA4IBAQByiWLQDkVXeKaO+HhtSxxJ4tAL8Oqe
FGwwnilSIfjxnIre47eAugx1+QDDOgTAV+zOXRWTaJOQdG5hk1oscjugAKz2QjqT
mdF4pe0JS3ArrvSnWQy/LV9to/Eqnkfn3BzFfaqY3hWPPRI2ULI4/WAd9U8WW0Im
44VBhEgrpY0GPAoEwWgPBIrtY5wmHtpLti/bJ1BihAOihKeY/wpPx7MxI9vRrmQU
jimZ6+AcSrtb+QuoDHWP/Cm+pGGoVEE1JBXTjsBehjAeeNhAyKKuGOZuxJ5Ueesd
t1sPYV8Erly2OCzqyj4/2WtUj3Wfsez/8EjYxfLo2637RLxVqDOcXtE8
-----END CERTIFICATE-----
subject=/CN=dev.inrupt.net

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2072 bytes and written 431 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7D85A089627B4BE8F85C5232ECD49718496DDFE19B4CBC45FDE53F12480C4532
Session-ID-ctx:
Master-Key: E222A8EF2FC2CE8514D7E6EC846B45BBE0527BFCA48C3295F255EC9F63252877A8F6286B38DE5A43AC99700606A01545
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 79 8e 58 08 c0 6d a0 0c-a7 cd b4 49 32 2f 1c d2 y.X..m.....I2/..
0010 - 38 30 f3 b7 27 d7 bc 80-f8 76 67 00 c0 a3 5d e2 80..'....vg...].
0020 - bd 7a 5d fa 10 b5 03 33-2a 56 49 78 be 46 46 db .z]....3*VIx.FF.
0030 - 99 8c c5 28 94 b9 89 c3-9e b2 06 b7 1e 65 15 9f ...(.........e..
0040 - 45 0d 1e 6d 68 7b 91 7f-78 ce 2b a5 eb 9d b7 f7 E..mh{..x.+.....
0050 - 69 d6 5a 26 01 ac f2 d6-47 c9 d0 86 6f 00 03 87 i.Z&....G...o...
0060 - 0a 79 84 86 bc a7 d7 c1-92 90 16 9c dc 8d 6d c5 .y............m.
0070 - 46 39 94 0e ba cb 72 fb-b9 52 15 38 53 57 b7 00 F9....r..R.8SW..
0080 - db dc 95 a4 e9 89 64 35-0c fa 58 79 7b e2 e4 8f ......d5..Xy{...
0090 - 7f 33 6a ad d9 12 51 08-ae 87 31 bf 60 b5 48 30 .3j...Q...1.`.H0
00a0 - c2 ed a9 4d fc 6f 75 69-97 15 ea 82 03 16 44 a8 ...M.oui......D.
00b0 - 0f 78 da 13 d4 14 b0 88-c6 4c 6c 14 53 6b 75 dd .x.......Ll.Sku.

Start Time: 1552895425
Timeout   : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

Note that the problem only occurs on dev.inrupt.net, not on inrupt.net:
```sh
openssl s_client -connect inrupt.net:443

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
[...]
00b0 - 22 f9 b2 ee 06 81 c2 4f-20 c1 54 8d 69 d1 49 cd "......O .T.i.I.

Start Time: 1552895480
Timeout   : 300 (sec)

Verify return code: 0 (ok)

Notice the difference between depth=0 CN = dev.inrupt.net and depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root on the second line there. Looks like the cert on dev.inrupt.net doesn't include the intermediate, should be fixable by using fullchain.pem.

Changed the "sslCert" entry in /etc/solid/config.json from cert.pem to fullchain.pem and restarted NSS. That fixed it!

And sometimes you need to add NODE_EXTRA_CA_CERTS=\"$(mkcert -CAROOT)/rootCA.pem\" before script using fetch.

Jie-Ping2020-01-02-Shang-Wu12 22 26

Was this page helpful?
0 / 5 - 0 ratings