Error: unable to get local issuer certificate

[troyyer]

Hi, I am using your code to try and log into our environment that uses NTLM login credentials. when I tried it out with the following command cy.ntlm('https://'enva-intapps', '{myusername}', '{mypassword}','{mydomain}'); or cy.ntlmSso(['*.enva-intapps']);

i am getting the following error message cypress:plugin:ntlm-auth PROXY_TO_SERVER_REQUEST_ERROR on /{MYAPPLICATIONURL}/: Error: unable to get local issuer certificate at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34) at TLSSocket.emit (events.js:311:20) at TLSSocket._finishInit (_tls_wrap.js:916:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) { code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' } +224ms

this would be the same issue as this one https://github.com/bjowes/cypress-ntlm-auth/issues/38 however I am quite unsure of how to follow the steps you provided

you mentioned:"this looks like the CA used for the sites certificate (or applied by a SSL inspection device such as Bluecoat) is a corporate CA. Those won't be trusted by Node by default. You should get hold of the CA cert". Me:Where/how should I find the CA Cert? you mentioned: "store it on your computer" Me: does it matter where this is stored? should it be in the location of the Cypress tests or of the node.js package? If I have multiple environments, do i have to save the Cert for all of them prior to me attempting to execute the test thru cypress-ntlm? you mentioned: "set the NODE_EXTRA_CA_CERTS environment variable to the full path to that certificate file." Me: where is this variable supposed to be saved in?

[troyyer]

actually ignore me.... I've gotten this to work for me... the basic restart your machine and cross your fingers and it started to work. Thanks for creating this plug in. It will definitely help speed up my testing.

[troyyer]

sorry I spoke too soon about sorting this out... so I had also changed my cy.visit url to just http and it worked. however with https it doesnt work and give the same issue cypress:plugin:ntlm-auth PROXY_TO_SERVER_REQUEST_ERROR on /{myURLundertest}: Error: unable to get local issuer certificate at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34) at TLSSocket.emit (events.js:311:20) at TLSSocket._finishInit (_tls_wrap.js:916:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) { code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' } +152ms

so how should I go about fixing this up

[bjowes]

Hi @troyyer - I realize I should write a more detailed blog post about using Node behind a corporate proxy - since this question keeps coming back.

To answer your questions:

• Where/how should I find the CA Cert? When you browse any external site (such as google.com), the corporate proxy will inject its own certificate in the traffic. So, you can inspect the certificate used to get the CA cert. In chrome, click the padlock icon next to the address bar, then click on "certificate". A dialog will open. Go to the last tab, and click on the cert at the top of the hierarchy tree shown. Then click "view certificate". This is the CA cert used by your corporate proxy. Next, click the details tab and then "copy to file". Just follow the guide but make sure you select "Base 64 Encoded X.509 (.cer)" format. Then select where to store the CA cert. Note: The cert file only contains the public key for the CA cert. This is not sensitive information.

• does it matter where this is stored? should it be in the location of the Cypress tests or of the node.js package? If I have multiple environments, do i have to save the Cert for all of them prior to me attempting to execute the test thru cypress-ntlm? The CA cert should be the same for all users/environments. So I would suggest storing it somewhere that is accessible to all of them. You could put it in the node.js program folder, but the easiest way is to simply create a new root folder and put it there, like c:\certs\ca.cer

• where is this variable supposed to be saved in? In the user environment variables or system environment variables. It is also possible to set it while executing the tests, but since this variable is useful for all Node-based programs I would recommend setting it as a system environment variable. The easiest way to get there on windows 10 is simply clicking start and start typing "environment" until the option appears. see screenshot. In the dialog that appears, click "environment variables", then add the variable to the lower table which contains system environment variables. One more catch - once this step is complete, make sure you restart any command shells (or the computer) so they pick up the new variable.

And thanks for liking the plugin :)

[troyyer]

Hi @bjowes thanks heaps for taking the time to answer my query with detailed guidance. I will follow the steps provided and should hopefully get things sorted on my end.

[bjowes]

Hi @troyyer - I went through these steps again recently and found that you need to export the certificate in Base 64 format for it to work with Node. I updated my answer above.

[troyyer]

Hi @bjowes Thanks for the update So I finally got some time to further my PoC with Cypres and NTLM. So I have followed your steps and am getting an error

Warning: Ignoring extra certs fromC:\code\certs, load failed: error:02001005:system library:fopen:Input/output error

here are the steps i have performed I went to my site in chrome, clicked the padlock, clicked certificate, on 'certificate path' tab, there are 3 levels present Company cert Root CA-1 -> Company Cert issuing CA-1 -> Url of site I clicked on 'Company cert Root CA-1' and then 'View Certificate' In the new Certificate pop-up window that has opened i have clicked on Details Tab and then 'Copy to File', following the steps and ensuring that Base-64 encoded X.509 was selected and then saved the cert into the certificate folder I created on my machine.

I have the following entry in the system variables section of my machine variable name:NODE_EXTRA_CA_CERTS variable value:C:\code\certs

now when i run npm run cypress-ntlm I get the following error in the cmd window Warning: Ignoring extra certs fromC:\code\certs, load failed: error:02001005:system library:fopen:Input/output error

Is there anything else I am missing/doing wrong here?

[bjowes]

Almost there! The NODE_EXTRA_CA_CERTS variable must point to the cert file, not the folder. The name is a bit misleading, but the idea is that you can put multiple certs into one file if needed.

[troyyer]

Cool so I've progressed after adding the full filename into the system variables. Now i'm getting another error. So I ran the proxy in debug mode and it had the following error cypress:plugin:ntlm-auth Received valid NTLM SSO config +20ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:63838 to target https://stage-intapps:443/ +87ms cypress:plugin:ntlm-auth Request to https://stage-intapps:443/ in registered NTLM Hosts (using SSO) +0ms cypress:plugin:ntlm-auth PROXY_TO_SERVER_REQUEST_ERROR on /{MyUrl}/Products: Error: getaddrinfo ENOTFOUND stage-intapps at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:64:26) { errno: 'ENOTFOUND', code: 'ENOTFOUND', syscall: 'getaddrinfo', hostname: 'stage-intapps' } +2s

Any ideas on the issue I m facing now?

[bjowes]

Well, the log tells us the the ntlm-proxy cannot find the IP address of the host stage-intapps, are you sure it is correct? Can you ping it to verify that your computer can find it? ping stage-intapps

[troyyer]

Yup when I ping it from command prompt my machine is able to find it

C:\Users\troyyer>ping stage-intapps

Pinging stage-intapps.{companyDomain} [{IpAddress}] with 32 bytes of data:
Reply from {IpAddress}: bytes=32 time=39ms TTL=249
Reply from {IpAddress}: bytes=32 time=38ms TTL=249
Reply from {IpAddress}: bytes=32 time=32ms TTL=249
Reply from {IpAddress}: bytes=32 time=116ms TTL=249

Ping statistics for {IpAddress}:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 32ms, Maximum = 116ms, Average = 56ms

[bjowes]

Just a hunch, but could you try adding the company domain also when using it from cypress?

fre 3 apr. 2020 kl. 15:45 skrev troyyer notifications@github.com:

Yup when I ping it from command prompt my machine is able to find it

C:\Users\troyyer>ping stage-intapps

Pinging stage-intapps.{companyDomain} [{IpAddress}] with 32 bytes of data: Reply from {IpAddress}: bytes=32 time=39ms TTL=249 Reply from {IpAddress}: bytes=32 time=38ms TTL=249 Reply from {IpAddress}: bytes=32 time=32ms TTL=249 Reply from {IpAddress}: bytes=32 time=116ms TTL=249

Ping statistics for {IpAddress}: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 32ms, Maximum = 116ms, Average = 56ms

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/112#issuecomment-608441914, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3BWWPCR5COMEZQEIX3RKXR7TANCNFSM4LRSUHLQ .

-- /Björn W

Skickat från min iPhone

[troyyer]

Thanks @bjowes. It started working now :) I actually don't know precisely what I did to get it to work but it started working with the original ntlm url. I initially tried your suggestion with the domain cy.ntlmSso(['stage-intapps.{companyDomain}']); but that failed with an unauthorized error when trying to access the url. I also got an unauthorized error in the other environment that was working for me without the company Domain. I reverted the ntlm back without the domain I then started playing around with the System Variable for the certs (tangent, but when i put multiple Value entries in NODE_EXTRA_CA_CERTS, i get the error "Warning: Ignoring extra certs from ..." I would have to sort this out if i have to put in multiple entries) I then removed and put back in the certs into the certs folder I had created and a few other random things and it started to work. Much appreciated with the time you spent helping me debug this.

[bjowes]

Great to hear! For NODE_EXTRA_CA_CERTS, it should only point to one file (not multiple values). If you need multiple certs, merge them into one file.

[mariusfranzen]

Sorry for bringing this up again. I'm getting the error "socket hang up" in cypress, but only when I try to auth with this. I can't skip authing of course since I can't run the proper tests if i'm not logged in.

I used the $env:DEBUG='cypress:plugin:ntlm-auth' command and got the same error as troyyer did:

  cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:52608 to target http://127.0.0.1:50617/ +4s
  cypress:plugin:ntlm-auth Request to config API +1ms
  cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:50617/ +0ms
  cypress:plugin:ntlm-auth Received valid NTLM config update +28ms
  cypress:plugin:ntlm-auth Added new hosts [ 'website.imtesting.local' ] +0ms
  cypress:plugin:ntlm-auth Request to config API +24ms
  cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:50617/ +0ms
  cypress:plugin:ntlm-auth Received valid NTLM SSO config +4ms
  cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:52613 to target https://website.imtesting.local:443/ +64ms
  cypress:plugin:ntlm-auth Request to https://website.imtesting.local:443/ in registered NTLM Hosts +1ms
  cypress:plugin:ntlm-auth PROXY_TO_SERVER_REQUEST_ERROR on /: Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
} Destroying client socket. +58ms

I tried to add the NODE_EXTRA_CA_CERTS like you instructed, but it's not helping. I keep on getting the same error. I have also tried to add NODE_TLS_REJECT_UNAUTHORIZED=0 and strict-ssl=false to .npmrc

[mariusfranzen]

After checking the other issues I think this is related to #180 as I also require windows authentication