CODEWITHSUNDEEP
node.jssslhttpsssl-certificatelets-encrypt
Ben Muircroft
Ben Muircroft

Reputation: 3034

wss letsencrypt UNABLE_TO_GET_ISSUER_CERT

using node.js and a letsencrypt.org certificate

var hardhttps=require('hardhttps');
hardhttps.globalAgent.options.ca=require('ssl-root-cas/latest').inject().addFile('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem');

var pem={
    key:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/privkey.pem','utf8')
,   cert:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/fullchain.pem','utf8')
,   ca:require('fs').readFileSync('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem','utf8')
,   pass:'xxxx'
    }

var server=(hardhttps.createServer({key:pem.key,cert:pem.cert,ca:[pem.ca],passphrase:pem.pass})).listen(port);

var wss=new WebSocketServer({server:server});

My second server that is trying to connect has exactly the same setup with its own certs and code

When I try to connect sever-to-server It just errors with [Error: unable to get issuer certificate] code: 'UNABLE_TO_GET_ISSUER_CERT'

Googled the hell out of it! Nothing even comes up in letsencrypt.org and the error message shows no clue!

I can test on each file that I can access it:

var test=require('fs').readFileSync('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem','utf8');

console.dir(test);//I see the pem!!!

It could be this line because, if I remove it then I get the same error:

hardhttps.globalAgent.options.ca=require(__dirname+'/../node_modules/ssl-root-cas/latest').inject().addFile('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem');

I've linked it to this as no doubt other people may need a solution https://community.letsencrypt.org/t/error-unable-to-get-issuer-certificate-code-unable-to-get-issuer-cert/15342/3

Upvotes: 2

Views: 5486

Answers (1)

Ben Muircroft
Ben Muircroft

Reputation: 3034

(pfg Community Modorator said)

benzmuircroft:

pem:{
    key:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/privkey.pem','utf8')
,   cert:require('fs').readFileSync('/etc/letsencrypt/live/mysite.com/fullchain.pem','utf8')//was chain.pen
,   ca:require('fs').readFileSync('/etc/letsencrypt/lets-encrypt-x3-cross-signed.pem','utf8')
,   pass:'xxxxxxxxxxx'
    }
var ws=new require('ws')('wss://mysite:8004',{key:pem.key,cert:pem.cert,ca:[pem.ca],passphrase:pem.pass,requestCert:true});

There's no need to set any of that. Server 2 is just a TLS client requesting Server 1, it does not need the server's key or certificate file. You probably just want:

var ws=new require('ws')('wss://mysite1:8004');

Not sure if that's the fix - give it a try.

FIXED!

The server that connects to the listening server does not need to send pem stuff but the listening one does need to have the pem available.

https://community.letsencrypt.org/t/error-unable-to-get-issuer-certificate-code-unable-to-get-issuer-cert/15342/3

Upvotes: 2

Related Questions