UNABLE_TO_GET_ISSUER_CERT when using self signed certificate inside docker image #52045

bl4ko · 2024-03-11T15:21:13Z

bl4ko
Mar 11, 2024

When running custom dockerfile

FROM node:20.11.1-alpine3.19

# Add our local certificate to the trusted store
# COPY src-root.crt /usr/local/share/ca-certificates/
COPY src-sub.crt /usr/local/share/ca-certificates/
COPY git-csm.example.com.crt /usr/local/share/ca-certificates/

# Update the trusted store (https://stackoverflow.com/a/67232164)
# RUN cat /usr/local/share/ca-certificates/src-root.crt >> /etc/ssl/certs/ca-certificates.crt  && \
RUN  cat /usr/local/share/ca-certificates/src-sub.crt >> /etc/ssl/certs/ca-certificates.crt && \
  cat /usr/local/share/ca-certificates/git-csm.example.com.crt >> /etc/ssl/certs/ca-certificates.crt && \
  apk --no-cache add curl git

# Setup node variables to respect the trusted store
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/git-csm.example.com.crt
ENV NODE_OPTIONS=--use-openssl-ca

Inside the image curl works normally (cert is correctly added to the local store)

curl https://git-csm.example.com
<html><body>You are being <a href="https://git-csm.example.com/users/sign_in">redirected</a>.</body></html>f5136286dd66:/#

But using the following code:

const axios = require('axios');
axios.get('https://git-csm.example.com')
    .then(response => {
        console.log('Status Code:', response.status);
        console.log('Body:', response.data);
    })
    .catch(error => {
        console.error('Error:', error);
    });

I ran into the error

Error: AxiosError: unable to get issuer certificate
    at AxiosError.from (/node_modules/axios/dist/node/axios.cjs:837:14)
    at RedirectableRequest.handleRequestError (/node_modules/axios/dist/node/axios.cjs:3087:25)
    at RedirectableRequest.emit (node:events:518:28)
    at eventHandlers.<computed> (/node_modules/follow-redirects/index.js:38:24)
    at ClientRequest.emit (node:events:518:28)
    at TLSSocket.socketErrorListener (node:_http_client:495:9)
    at TLSSocket.emit (node:events:518:28)
    at emitErrorNT (node:internal/streams/destroy:169:8)
    at emitErrorCloseNT (node:internal/streams/destroy:128:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
    at Axios.request (/node_modules/axios/dist/node/axios.cjs:3877:41)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'UNABLE_TO_GET_ISSUER_CERT',
  config: {
    transitional: {
      silentJSONParsing: true,
      forcedJSONParsing: true,
      clarifyTimeoutError: false
    },
    adapter: [ 'xhr', 'http' ],
    transformRequest: [ [Function: transformRequest] ],
    transformResponse: [ [Function: transformResponse] ],
    timeout: 0,
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    maxBodyLength: -1,
    env: { FormData: [Function], Blob: [class Blob] },
    validateStatus: [Function: validateStatus],
    headers: Object [AxiosHeaders] {
      Accept: 'application/json, text/plain, */*',
      'Content-Type': undefined,
      'User-Agent': 'axios/1.6.7',
      'Accept-Encoding': 'gzip, compress, deflate, br'
    },
    method: 'get',
    url: 'https://git-csm.example.com',
    data: undefined
  },
  request: <ref *1> Writable {
    _events: {
      close: undefined,
      error: [Function: handleRequestError],
      prefinish: undefined,
      finish: undefined,
      drain: undefined,
      response: [Function: handleResponse],
      socket: [Function: handleRequestSocket]
    },
    _writableState: WritableState {
      highWaterMark: 16384,
      length: 0,
      corked: 0,
      onwrite: [Function: bound onwrite],
      writelen: 0,
      bufferedIndex: 0,
      pendingcb: 0,
      [Symbol(kState)]: 17580812,
      [Symbol(kBufferedValue)]: null
    },
    _maxListeners: undefined,
    _options: {
      maxRedirects: 21,
      maxBodyLength: Infinity,
      protocol: 'https:',
      path: '/',
      method: 'GET',
      headers: [Object: null prototype],
      agents: [Object],
      auth: undefined,
      family: undefined,
      beforeRedirect: [Function: dispatchBeforeRedirect],
      beforeRedirects: [Object],
      hostname: 'git-csm.example.com',
      port: '',
      agent: undefined,
      nativeProtocols: [Object],
      pathname: '/'
    },
    _ended: true,
    _ending: true,
    _redirectCount: 0,
    _redirects: [],
    _requestBodyLength: 0,
    _requestBodyBuffers: [],
    _eventsCount: 3,
    _onNativeResponse: [Function (anonymous)],
    _currentRequest: ClientRequest {
      _events: [Object: null prototype],
      _eventsCount: 7,
      _maxListeners: undefined,
      outputData: [],
      outputSize: 0,
      writable: true,
      destroyed: false,
      _last: true,
      chunkedEncoding: false,
      shouldKeepAlive: true,
      maxRequestsOnConnectionReached: false,
      _defaultKeepAlive: true,
      useChunkedEncodingByDefault: false,
      sendDate: false,
      _removedConnection: false,
      _removedContLen: false,
      _removedTE: false,
      strictContentLength: false,
      _contentLength: 0,
      _hasBody: true,
      _trailer: '',
      finished: true,
      _headerSent: true,
      _closed: false,
      socket: [TLSSocket],
      _header: 'GET / HTTP/1.1\r\n' +
        'Accept: application/json, text/plain, */*\r\n' +
        'User-Agent: axios/1.6.7\r\n' +
        'Accept-Encoding: gzip, compress, deflate, br\r\n' +
        'Host: git-csm.example.com\r\n' +
        'Connection: keep-alive\r\n' +
        '\r\n',
      _keepAliveTimeout: 0,
      _onPendingData: [Function: nop],
      agent: [Agent],
      socketPath: undefined,
      method: 'GET',
      maxHeaderSize: undefined,
      insecureHTTPParser: undefined,
      joinDuplicateHeaders: undefined,
      path: '/',
      _ended: false,
      res: null,
      aborted: false,
      timeoutCb: [Function: emitRequestTimeout],
      upgradeOrConnect: false,
      parser: null,
      maxHeadersCount: null,
      reusedSocket: false,
      host: 'git-csm.example.com',
      protocol: 'https:',
      _redirectable: [Circular *1],
      [Symbol(shapeMode)]: false,
      [Symbol(kCapture)]: false,
      [Symbol(kBytesWritten)]: 0,
      [Symbol(kNeedDrain)]: false,
      [Symbol(corked)]: 0,
      [Symbol(kOutHeaders)]: [Object: null prototype],
      [Symbol(errored)]: null,
      [Symbol(kHighWaterMark)]: 16384,
      [Symbol(kRejectNonStandardBodyWrites)]: false,
      [Symbol(kUniqueHeaders)]: null
    },
    _currentUrl: 'https://git-csm.example.com/',
    [Symbol(shapeMode)]: true,
    [Symbol(kCapture)]: false
  },
  cause: Error: unable to get issuer certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
      at TLSSocket.emit (node:events:518:28)
      at TLSSocket._finishInit (node:_tls_wrap:1085:8)
      at ssl.onhandshakedone (node:_tls_wrap:871:12) {
    code: 'UNABLE_TO_GET_ISSUER_CERT'
  }
}

Any ideas what am I doing wrong?

Answered by bl4ko

Sep 12, 2024

Fixed by including full certificate chain instead of only providing sub.crt or root.crt.

View full answer

bl4ko · 2024-09-12T07:09:50Z

bl4ko
Sep 12, 2024
Author

Fixed by including full certificate chain instead of only providing sub.crt or root.crt.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Node.js

UNABLE_TO_GET_ISSUER_CERT when using self signed certificate inside docker image #52045

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Node.js

UNABLE_TO_GET_ISSUER_CERT when using self signed certificate inside docker image #52045

bl4ko Mar 11, 2024

Replies: 1 comment

bl4ko Sep 12, 2024 Author

bl4ko
Mar 11, 2024

bl4ko
Sep 12, 2024
Author