Giters

Dashlane / dashlane-cli

👩‍💻 Dashlane CLI - Access your secrets in your terminal, servers and CI/CD

Home Page:https://cli.dashlane.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

RequestError: unable to verify the first certificate

LRSFC-DanJ opened this issue · comments

commented

dcli Version: 1.0.0 Windows
OS version: Windows 10 Enterprise 21H2

When trying to log in using dcli-win.exe sync I am receiving an error as follows after entering my email address:

RequestError: unable to verify the first certificate
    at ClientRequest.<anonymous> (C:\snapshot\dashlane-cli\node_modules\got\dist\source\core\index.js:970:111)
    at Object.onceWrapper (node:events:642:26)
    at ClientRequest.emit (node:events:539:35)
    at ClientRequest.<anonymous> (C:\snapshot\dashlane-cli\node_modules\@szmarczak\http-timer\dist\source\index.js:43:20)
    at TLSSocket.socketErrorListener (node:_http_client:454:9)
    at TLSSocket.emit (node:events:527:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1532:34)
    at TLSSocket.emit (node:events:527:28)
    at TLSSocket._finishInit (node:_tls_wrap:946:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:727:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  timings: {
    start: 1673609161941,
    socket: 1673609161942,
    lookup: 1673609161948,
    connect: 1673609161957,
    secureConnect: undefined,
    upload: undefined,
    response: undefined,
    end: undefined,
    error: 1673609161967,
    abort: undefined,
    phases: {
      wait: 1,
      dns: 6,
      tcp: 9,
      tls: undefined,
      request: undefined,
      firstByte: undefined,
      download: undefined,
      total: 26
    }
  }
}

While it is the case that I am running this in a corporate environment with a firewall that does HTTPS inspection, the appropriate CA certificate is installed in the computer's Trusted Root Certificates store, so the server certificate should be able to be verified.

The Dashlane web app and browser extension do not experience any issues.

commented

Hello,

As I understand your problem, your company is using a self-signed certificate for your HTTPS connection.
If that's the case, indeed it can cause such issue because we're using NodeJS.
In NodeJS the list of certificate authorities is done in a weird way, it's basically hardcoded, read more here: nodejs/node#4175

It seems so far that there are no programmatic way of adding custom certs and nodejs is not picking custom certs from the OS store. But there is an environment variable to add custom certs: https://nodejs.org/docs/latest-v16.x/api/cli.html#node_extra_ca_certsfile

NODE_EXTRA_CA_CERTS=/<...>/.ssl/extra_certs.pem

Unfortunately I'm not working in an environment with such self-signed cert so I'll let you test this solution and let me know if that works.

That said, I found a package (https://www.npmjs.com/package/win-ca) that could be interesting for getting the custom certificates on Windows. I'll have to explore this a bit more and assess if it meets our security requirements before implementing it.

commented

But there is an environment variable to add custom certs: https://nodejs.org/docs/latest-v16.x/api/cli.html#node_extra_ca_certsfile

NODE_EXTRA_CA_CERTS=/<...>/.ssl/extra_certs.pem

Unfortunately I'm not working in an environment with such self-signed cert so I'll let you test this solution and let me know if that works.

Setting this environment variable up to point to a file containing the firewall's CA certificate allows me to successfully complete a dcli-win.exe sync session.

A hardcoded certificate store seems like it might be problematic as it won't allow for situations such as CA certificates which are revoked or new ones that get added (e.g. Let's Encrypt). If you're able to verify against certificates in the OS certificate store this would be better as these are typically updated on a regular basis, and for enterprise use the OS certificate store will usually also contain any custom CA certificates that may be needed.

commented

Great that it solves the issue, it's clearly not ideal but it's something at least.

Root certificates don't change that often (see the updates in https://github.com/nodejs/node/blob/main/src/node_root_certs.h) and I believe most providers will think of updating it there unless they want to break a lot of customers apps.

I'll have a deeper look at how other apps handle this issue and I'll try to come up with a long term solution.