browserType.connect: unable to verify the first certificate

Question

browserType.connect: unable to verify the first certificate

MohamedBenighil opened this issue a year ago · comments

hello,

Part1 : Moon

i deployed moon2 helm chart on my kubenetes cluster and https access, where i used Nginx Ingress Controller. The GUI of moon2 is accessible.

I managed the tls certificates at Inginx Ingress Controller level, i.e: i used --default-ssl-certificate=default/cert-secret

The helm values.yml i used looks like (just the part i am interested in ):

customIngress:
  enabled: true
  ingressClassName: nginx
  host: efr-moon-p.aks-qa-fr.mydomain.net

Part2: Test

i used the following program to make a simple test

'use strict';

function wait(ms){
    var start = new Date().getTime();
    var end = start;
    while(end < start + ms) {
      end = new Date().getTime();
   }
 }


const { firefox } = require('playwright');


const host = 'efr-moon-p.aks-qa-fr.mydomain.net';




(async () => {

    const browser = await firefox.connect({ timeout: 0, wsEndpoint: `wss://${host}/playwright/firefox/playwright-1.19.2?headless=false&enableVideo=true&videoName=mytestvideo.mp4` });
    const page = await browser.newPage();
    await page.goto('https://aerokube.com/moon/');

    //wait(30000);

    await page.screenshot({ path: `screenshot.png` });
    await browser.close();
})();

But i got the follwoing error :

> moon-cloud-playwright-example@1.0.0 test
> node index.js

node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

browserType.connect: unable to verify the first certificate
    at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:20:35
    at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
  name: 'Error'
}

Node.js v18.16.0

Any help please ?

Ivan Krutov · Answer 1 · Thu Jun 01 2023 18:40:40 GMT+0800 (China Standard Time)

@MohamedBenighil you need to make sure that CA certificate used to issue Moon TLS certificate is trusted in node.js settings. https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs

Mohamed BENIGHIL · Answer 2 · Thu Jun 01 2023 21:10:49 GMT+0800 (China Standard Time)

@vania-pooh please notice i have just tls.crt & tls.key on my secret file ( --default-ssl-certificate=default/cert-secret ). And I DON'T have CA certificate.

apiVersion: v1
data:
  tls.crt: QmF......K               <== HERE
  tls.key: LS0tLS.....S0tLS0tCg==   <== AND HERE (tls.crt & tls.key are all i have )
kind: Secret
metadata:
  creationTimestamp: "2023-05-15T13:33:13Z"
  name: cert-secret
  namespace: default
  resourceVersion: "25502736"
  uid: 10295bd4-a764-4407-a204-d8caae8129df
type: kubernetes.io/tls

Ivan Krutov · Answer 3 · Fri Jun 02 2023 14:56:27 GMT+0800 (China Standard Time)

@MohamedBenighil usually certification authority is provided by organization or person who actually generated these two files. E.g. this could be CA certificates of let's encrypt or another TLS certification provider.

Mohamed BENIGHIL · Answer 4 · Mon Jun 05 2023 21:11:54 GMT+0800 (China Standard Time)

@vania-pooh I used NODE_EXTRA_CA_CERTS=ca/ca-pfx.pem npm test and the error was changed.

Now, i got :

> moon-cloud-playwright-example@1.0.0 test
> node index.js

node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

browserType.connect: unable to get issuer certificate
    at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:22:35
    at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
  name: 'Error'
}

Node.js v18.16.0

any help please ?
PS: Moon is running on AKS

Ivan Krutov · Answer 5 · Mon Jun 05 2023 23:05:45 GMT+0800 (China Standard Time)

@MohamedBenighil this is still related to TLS CA config of NPM. Probably you are providing an intermediary CA and not root CA.

Mohamed BENIGHIL · Answer 6 · Mon Jun 05 2023 23:36:43 GMT+0800 (China Standard Time)

@vania-pooh how can i get root CA ?

I created tls.key and tls.crt using the following commands :

# private key
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -nocerts -out key-file.key

#decrypt
openssl rsa -in key-file.key -out tls.key

# get crt
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -clcerts -nokeys -out tls.crt

# create kubernetes secret
kubectl create secret tls cert-secret --cert tls.crt --key tls.key # <==The secret is used at Nginx Ingress Controller as i said before

Notice my input entry is : aks-qa-fr.COMPANY.net_2022.pfx
I would like to know what i am messing please ?

Ivan Krutov · Answer 7 · Tue Jun 06 2023 15:45:58 GMT+0800 (China Standard Time)

@MohamedBenighil something like this should work: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/