Defining Certificate Authority on Meteor.js

Question

I'm having a problem with a particular HTTPS get call when I upgrade to 6.6.3. I'm not sure if this is actually true, but it seems that with the new security enhancements it seems that meteor is actively trying to authenticate the CA from which the request is returned from.

The error I get is this: UNABLE_TO_VERIFY_LEAF_SIGNATURE - I get this when I try to login through an SSO server on.

After contacting the server administrators, they've passed me the ca.pem file that the meteor server can use to validate the certificate. I've tried every which way to put it into the node.js configs that the meteor server runs on to no avail. So my question is two fold:

1. What does Meteor do when trying to authenticate a certificate from a server?
2. How can I give the correct CA to Meteor so that it authenticate properly?

Answer 1

You haven't provided enough information but I have seen this before. If you have a meteor server running 0.6.6.3 and you are trying to access it from a nodejs script using something like node-ddp? If so and this error emitted as a socket error then:

If this is the case you need to set up not only the CA file but the intermediate files. Meteor on its own cannot generally do this you need a proxy to convert the https to http which would sit in front of meteor.

You have one of 3 files you generally need. The CA, your Key and the Intermediate chain. The UNABLE_TO_VERIFY_LEAF_SIGNATURE usually comes out because you've not specified the chain.

Meteor does not directly take CAs or handle SSL. You have to use your own proxy which would be something else like nginx or a script like this one.

If you are using meteor deploy this should be ok as long as your domain is of the form *.meteor.com. If you're using your own domain the domain signatures wont match & you would have to use your own hosting if you want to use SSL

Answer 2

The answer provided by Akshat is correct. You need to provide the intermediate certificates.

The UNABLE_TO_VERIFY_LEAF_SIGNATURE error is Node telling you that it doesn't have the full chain of trust. If for testing purposes you want to work around this you can use and environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 and Node/Meteor will ignore certificate problems.

To clarify things a bit more, for example if you use RapidSSL then you would need to grab the intermediate certs from here. Then you would need to append your cert and the intermediate certs together:

-----BEGIN CERTIFICATE-----
My Cert (issued by RapidSSL)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RapidSSL Intermediate Cert (RSA SHA-1 SSL Certificates SO26462)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RapidSSL Intermediate Cert (RSA SHA-2 SSL Certificates SO26457)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RapidSSL Intermediate Cert (RSA SHA-2 SSL Certificates SO28351)
-----END CERTIFICATE-----

NOTE! You need to stack them just like I show above where the certificates are in order descending like this. If you do it some other way you might get failures with weird errors.