Splynx, LetsEncrypt (or any other SSL) and calling the splynx server from Node.js API


#1

You’ll love this.

So we used LetsEncrypt to TLS protect our splynx server. Most excellent.

[In the following example, I’m using the hostname ‘myserver.com’ to indicate my target splynx server]

However, the previous Node.js code to call Splynx (once I upgraded my hostname from http://myserevr.com to https://myserver.com) was failing with

UNABLE_TO_VERIFY_LEAF_SIGNATURE

What. The. Flip?

The error from Node,js is basically complaining that it doesn’t understand the certificate, and cant validate it. We cant keep downloading the certificate onto the machines running the node.js application - that doesn’t make sense.

And we should NOT be retrieving customer information using unprotected calls. This is now against the law in a number of countries.

What was happening?

From the same machine, I ran:

openssl s_client -showcerts -connect myserver.com:443 -servername myserver.com

and it came up with:

CONNECTED(00000006)
depth=0 CN = myserver.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = myserver.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = myserver.com
verify error:num=21:unable to verify the first certificate
verify return:100:

Okay. This is making sense. My machine - at a basic level (not in the browser) is having a real issue with the certificate being returned from my splynx server. It can see the certificate from my server, but doesnt have the root certificates above it. And i"m too lazy to have to point node.js scripts at whatever certificate authority my remote server is running.

(The browser sessions work because they get the root certificates themselves)

It looked like I wasn’t bunding the root certificates for letsencrypt.com in my splynx ssl config.

So in the file:

/etc/nginx/sites-enabled/splynx-ssl

I changed the line:

ssl_certificate /etc/letsencrypt/live/myserver.com/cert.pem;

to

ssl_certificate /etc/letsencrypt/live/myserver.com/fullchain.pem;

And voila, after a brutal server restart (I dont trust anything), my browser is still reporting myserver.com as secure, AND the openSSL command above is reporting success. It’s because it’s bundled the root certifiers in the originating SSL request.

When I re-run my node.js application - it’s all happy.

Took me 45 minutes of frantic googling to get this - I thought I’d record it here so no-one else wasted that time again.

Best of luck,

—* Bill
http://www.Marykirk.com


#2

Yeh, we use fullchain too (on our manual)


#3

Yup. If I’d read that properly (the manual), I’d have saved myself a lot of grief…

But hey. Where’s the fun in that? :wink:

—* Bill