Self signed certificate in certificate chain

I’m attempting to login via the exp command line tool, and it gives me this error:

$ exp login --github
[exp] self signed certificate in certificate chain
[exp] Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1084:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:188:7)
at TLSSocket._finishInit (_tls_wrap.js:606:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:436:38)

This is at my work and we have a corporate proxy in place that does have a self-certified SSL cert in its chain.

Other tools give you a way of getting around this error, although at the expense of loosening up your security settings. E.g. with Git, I can add sslVerify = false option to the .gitconfig file. Is there any similar option for the exp tool?

We don’t have a built in way to get around this. You might be able to set an env variable to get Node to ignore this error: https://stackoverflow.com/questions/10888610/ignore-invalid-self-signed-ssl-certificate-in-node-js-with-https-request

Thanks, Jesse. That worked!

Specifically, adding the following to my .bashrc file (using Git Bash on Windows):

export NODE_TLS_REJECT_UNAUTHORIZED=0

then restarting my Bash shell.

After logging in though, I got the warning message:

Warning: .end() was called twice. This is not supported in superagent

which I had to Ctrl->C out of. When I then tried and exp init command, it gave me that same superagent warning, before failing with:

[exp] Couldn’t connect to the server, check your internet connection.

I’ll search the forums for that one.

Hi, is it possible to add my own certificate? I’d rather not disable TLS.

I saw the comment above from jesse that this is not possible, but that was back in Aug '17, and I’m wondering if anythings since changed

Hi

As far as I know this type of proxy basically works as a MITM pretending to be the remote server. This is so it can decrypt the traffic to all remote servers from the users’ browsers etc. for monitoring purposes.

As far as I know they have their own CA cert (which is necessarily self-signed) in order to generate new certs on the fly for all the servers the users are connecting to.

In order for browsers etc. not to complain, two things are needed.

  1. The proxy needs to generate a cert for each remote server being connected to on the fly (but likely cached for later connections)
  2. The browser/OS needs to install the proxy’s CA cert into its trusted root certificate store.

For browsers that implement certificate pinning, I suppose you might also have to disable that, but the main two requirements would be the ones above.

Given the error message you’re getting, it seems that either the proxy server is sending its CA cert as part of the cert chain or else Node knows about it, but it is not trusted.

So I believe the solution to your problem (if you can’t work somewhere that doesn’t monitor all of your encrypted network traffic :slight_smile:) is to get the CA cert and make sure Node treats it as a trusted root cert.

A quick search on how to do the latter turns up this:

https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

One way to get the CA cert would be to export it from the browser’s/OS certificate store.

Hope this helps :slight_smile:

1 Like