What causes "UNABLE_TO_VERIFY_LEAF_SIGNATURE"? #490

crystalfp · 2022-12-27T07:48:37Z

crystalfp
Dec 27, 2022

First time using mkcert for my local server:

./mkcert-v1.4.4-windows-amd64.exe \
-cert-file "./localhost-cert.pem" \
-key-file "./localhost-privkey.pem" \
localhost 127.0.0.1 ::1

Accessing the server from my frontend, that uses fetch(), works perfectly. Instead, accessing the server from Pactum (API tester) generates the "UNABLE_TO_VERIFY_LEAF_SIGNATURE" error.
Also changing the access routine Pactum uses with the following:

const https = require('https');
const pem = 'path-pem-file';
const key = 'path-key-file';

const agent = new https.Agent({
            cert: fs.readFileSync(pem),
            key: fs.readFileSync(key), 
	    passphrase: ""
 });

changes nothing. This led me to suspect I'm missing something during mkcert invocation.
Could you enlighten me?
In the meantime I will investigate how Pactum access the server.
Thanks!
mario

crystalfp · 2022-12-27T07:55:05Z

crystalfp
Dec 27, 2022
Author

Also adding -client to mkcert changes nothing.

4 replies

timostamm Feb 25, 2023

Mario, the relevant info is in the README:

Node does not use the system root store, so it won't accept mkcert certificates automatically. Instead, you will have to set the NODE_EXTRA_CA_CERTS environment variable.
export NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem"

crystalfp Mar 1, 2023
Author

Thanks @timostamm . But unfortunately nothing changes, even if I do process.env.NODE_EXTRA_CA_CERTS = '["C:/Users/xxx/AppData/Local/mkcert/RootCA.pem"]'; using the directory from mkcert -CAROOT.

Summarizing: https node server ← browser works. Instead https node server ← jest test using pactum fails with UNABLE_TO_VERIFY_LEAF_SIGNATURE. Anyway, seems I need to learn more about HTTP/2. In the meantime my tests will continue to run on http.
Thanks anyway!
mario

timostamm Mar 1, 2023

From the Node.js docs:

The NODE_EXTRA_CA_CERTS environment variable is only read when the Node.js process is first launched. Changing the value at runtime using process.env.NODE_EXTRA_CA_CERTS has no effect on the current process.

You have to set this environment variable before starting node. You can't do it in the process. 🙃

Here's a full example: https://github.com/bufbuild/connect-es/tree/main/packages/example#run-the-example

crystalfp Mar 1, 2023
Author

Yes, I defined also the Env variable. And thanks for the example, I will study it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

What causes "UNABLE_TO_VERIFY_LEAF_SIGNATURE"? #490

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

What causes "UNABLE_TO_VERIFY_LEAF_SIGNATURE"? #490

crystalfp Dec 27, 2022

Replies: 1 comment · 4 replies

crystalfp Dec 27, 2022 Author

timostamm Feb 25, 2023

crystalfp Mar 1, 2023 Author

timostamm Mar 1, 2023

crystalfp Mar 1, 2023 Author

crystalfp
Dec 27, 2022

Replies: 1 comment 4 replies

crystalfp
Dec 27, 2022
Author

crystalfp Mar 1, 2023
Author

crystalfp Mar 1, 2023
Author