DEPTH_ZERO_SELF_SIGNED_CERT Error

OptimalBits / redbird

A modern reverse proxy for node

BSD 2-Clause "Simplified" License

4.41k stars 280 forks source link

DEPTH_ZERO_SELF_SIGNED_CERT Error #87

Open mvictoras opened 7 years ago

mvictoras commented 7 years ago

I have a docker image that uses a self-signed certificate (https). mycert certificates bellow are real and not self-signed. Only the certificate inside the docker image is self-signed.

var proxy = require('redbird')({
    port: 80,
    ssl: {
            port: 443,
            key: "./certs/mycert.key",
            cert: "./certs/mycert.crt",

    }
});

proxy.register("localhost, "https://localhost:3000", {ssl: true});

When I access https://localhost on my browser I get DEPTH_ZERO_SELF_SIGNED_CERT

I tried process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; but that didn't work either.

Any ideas?

manast commented 7 years ago

I have no idea. Have you tried newer/older versions of node?

KpjComp commented 7 years ago

Hi,

I was having the same issue, I'm reverse proxying to an internal server that uses a self signed certificate.

The way I go around this is in proxy.js function setupHttpsProxy

change -> proxy.web(req, res, { target: target}) to -> proxy.web(req, res, { target: target, secure:false });

Because the proxy server itself has a valid cert, and I'm proxying to a server I trust, I believe this should be fine. But instead of me having to hard code this in, maybe an option in the register might be nicer.

b3nz0 commented 7 years ago

@KpjComp i'm having the same issue; the upstream server has a self-signed cert and i'm presented with the same error "DEPTH_ZERO_SELF_SIGNED_CERT"

I tried the modification you made but this didn't improve my situation; do you have another suggestion as a workaround?

Would be great to have the ability to set this "secure: false" option on a per-proxy basis.

b3nz0 commented 7 years ago

Ignore me; i'd modified the wrong part of proxy.js !!

Workaround works a charm. Thanks.

KpjComp commented 7 years ago

@manast , any chance of having this put in as an option to the register function?

@b3nz0 glad that worked for you too. :)

geigev commented 6 years ago

@KpjComp doesn't using secure:false allow for man in the middle attacks and defeat the purpose of having a cert that is not self signed? Is there anyway to solve this while keeping it secure?

Edit: Sorry just realized he is actually using a self-signed cert -- please ignore this. I was having a a similar issue with a certificate that is not self-signed.

KpjComp commented 6 years ago

@geigev

Firstly, I did say as an option anyway.

But the secure = false, is between the your server & your server.. If the server you reverse proxying too belongs to you, how do you envisage man in the middle attacks, as the outbound / exposed host is still using secure?..

geigev commented 6 years ago

@KpjComp

But the secure = false, is between the your server & your server.. If the server you reverse proxying too belongs to you, how do you envisage man in the middle attacks, as the outbound / exposed host is still using secure?..

If you are using a cloud provider that doesn't have a private VLAN, or are on a public network -- it would be a problem in those scenarios right?