ERR_TLS_CERT_ALTNAME_INVALID error when using the proxy support

templth commented 1 month ago

Describe the bug

I use the proxy support this way :

const proxy = 'https://customerabc:password@pr.oxylabs.io:7777';
const agent = ytdl.createProxyAgent({ uri: proxy });

const info = await ytdl.getInfo(videoUrl, { agent, filter: 'audioonly', format: 'mp3' });

While it works perfectly locally, I got the following error when trying to execute this code on the server :

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: www.youtube.com. is not in the cert's altnames: DNS:*.c.docs.google.com, DNS:*.a1.googlevideo.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.c.2mdn.net, DNS:*.c.bigcache.googleapis.com, DNS:*.c.chat.google.com, DNS:*.c.doc-0-0-sj.sj.googleusercontent.com, DNS:*.c.drive.google.com, DNS:*.c.googlesyndication.com, DNS:*.c.googlevideo.com, DNS:*.c.mail.google.com, DNS:*.c.mail.googleusercontent.com, DNS:*.c.pack.google.com, DNS:*.c.play.google.com, DNS:*.c.youtube.com, DNS:*.dai.googlevideo.com, DNS:*.googlevideo.com, DNS:*.googlezip.net, DNS:*.gvt1.com, DNS:*.offline-maps.gvt1.com, DNS:*.snap.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:xn--ngstr-lra8j.com, DNS:*.xn--ngstr-lra8j.com
0|index  |     at new NodeError (node:internal/errors:405:5)
0|index  |     at Object.checkServerIdentity (node:tls:337:12)
0|index  |     at TLSSocket.onConnectSecure (node:_tls_wrap:1669:27)
0|index  |     at TLSSocket.emit (node:events:517:28)
0|index  |     at TLSSocket._finishInit (node:_tls_wrap:1070:8)
0|index  |     at ssl.onhandshakedone (node:_tls_wrap:856:12) {
0|index  |   reason: "Host: www.youtube.com. is not in the cert's altnames: DNS:*.c.docs.google.com, DNS:*.a1.googlevideo.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.c.2mdn.net, DNS:*.c.bigcache.googleapis.com, DNS:*.c.chat.google.com, DNS:*.c.doc-0-0-sj.sj.googleusercontent.com, DNS:*.c.drive.google.com, DNS:*.c.googlesyndication.com, DNS:*.c.googlevideo.com, DNS:*.c.mail.google.com, DNS:*.c.mail.googleusercontent.com, DNS:*.c.pack.google.com, DNS:*.c.play.google.com, DNS:*.c.youtube.com, DNS:*.dai.googlevideo.com, DNS:*.googlevideo.com, DNS:*.googlezip.net, DNS:*.gvt1.com, DNS:*.offline-maps.gvt1.com, DNS:*.snap.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:xn--ngstr-lra8j.com, DNS:*.xn--ngstr-lra8j.com",
0|index  |   host: 'www.youtube.com',
0|index  |   cert: {
0|index  |     subject: [Object: null prototype] { CN: '*.c.docs.google.com' },
0|index  |     issuer: [Object: null prototype] {
0|index  |       C: 'US',
0|index  |       O: 'Google Trust Services',
0|index  |       CN: 'WR2'
0|index  |     },
0|index  |     subjectaltname: 'DNS:*.c.docs.google.com, DNS:*.a1.googlevideo.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.c.2mdn.net, DNS:*.c.bigcache.googleapis.com, DNS:*.c.chat.google.com, DNS:*.c.doc-0-0-sj.sj.googleusercontent.com, DNS:*.c.drive.google.com, DNS:*.c.googlesyndication.com, DNS:*.c.googlevideo.com, DNS:*.c.mail.google.com, DNS:*.c.mail.googleusercontent.com, DNS:*.c.pack.google.com, DNS:*.c.play.google.com, DNS:*.c.youtube.com, DNS:*.dai.googlevideo.com, DNS:*.googlevideo.com, DNS:*.googlezip.net, DNS:*.gvt1.com, DNS:*.offline-maps.gvt1.com, DNS:*.snap.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:xn--ngstr-lra8j.com, DNS:*.xn--ngstr-lra8j.com',
0|index  |     infoAccess: [Object: null prototype] {
0|index  |       'OCSP - URI': [Array],
0|index  |       'CA Issuers - URI': [Array]
0|index  |     },
0|index  |     ca: false,
0|index  |     modulus: 'C94A3E9614B653BC380DBC1FDC3419C24FFE10983DAAE2434961B2A0B44318645BBBE618D06D126DF252520DC2CC4072814FC95C154CA7C1981DDAF14876FE7863A43AA525D9BCEEBA68C5EEF0DD04C0D2A84200CF53001C01031A3FCB1E1086B74AB2041966B444F42F0BA7E237C69E849DCF9092B4AD6D1351A250CF7F05203158CE7DDEE5D3B78D1B24973385D9EA9ABBF465DE6D44CDDC29C45215403CD9590586672AB58C5AC70596D155757F23B054DD810C2419F0F76A1AEE8674141D5CF7E40D99410BF0EC0FB052C6EE5F562994FB867B252AF981C4977F67668CE953FAFF92E4B77876C81E1DFC0D3D4D61591B3915D2AAAC9AFC6E4C7C409408EB',
0|index  |     bits: 2048,
0|index  |     exponent: '0x10001',
0|index  |     pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c9 4a 3e 96 14 b6 53 bc 38 0d bc 1f dc 34 19 c2 4f ... 244 more bytes>,
0|index  |     valid_from: 'Jul 16 14:35:09 2024 GMT',
0|index  |     valid_to: 'Sep 24 14:35:08 2024 GMT',
0|index  |     fingerprint: 'A1:6F:AE:90:1A:F9:59:57:89:A3:FE:EF:86:3C:E1:D9:72:17:4A:5B',
0|index  |     fingerprint256: '03:BF:F6:A5:A1:0D:02:E4:13:A7:33:31:58:86:52:C3:B5:13:EE:86:6B:89:15:B5:E4:95:91:92:3B:DD:A3:F8',
0|index  |     fingerprint512: '44:FB:6B:62:F4:66:48:1A:01:FE:D6:2D:67:65:2D:81:55:EC:7E:C4:2F:55:9F:C1:05:33:3C:63:AE:4F:57:04:8C:38:36:9E:A0:8F:6D:D5:D2:88:65:E6:D3:79:4A:1D:76:64:8D:60:CD:A7:D4:12:B9:C5:6F:4B:27:96:14:5B',
0|index  |     ext_key_usage: [ '1.3.6.1.5.5.7.3.1' ],
0|index  |     serialNumber: '04A54DA47ED9A8B3126AD7934E7F3292',
0|index  |     raw: <Buffer 30 82 07 37 30 82 06 1f a0 03 02 01 02 02 10 04 a5 4d a4 7e d9 a8 b3 12 6a d7 93 4e 7f 32 92 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 3b 31 0b ... 1801 more bytes>,
0|index  |     issuerCertificate: {
0|index  |       subject: [Object: null prototype],
0|index  |       issuer: [Object: null prototype],
0|index  |       infoAccess: [Object: null prototype],
0|index  |       ca: true,
0|index  |       modulus: 'A9FF9C7F451E70A8539FCAD9E50DDE4657577DBC8F9A5AAC46F1849ABB91DBC9FB2F01FB920900165EA01CF8C1ABF9782F4ACCD885A2D8593C0ED318FBB1F5240D26EEB65B64767C14C72F7ACEA84CB7F4D908FCDF87233520A8E269E28C4E3FB159FA60A21EB3C920531982CA36536D604DE90091FC768D5C080F0AC2DCF1736BC5136E0A4F7AC2F2021C2EB46383DA31F62D7530B2FBABC26EDBA9C00EB9F967D4C3255774EB05B4E98EB5DE28CDCC7A14E47103CB4D612E6157C519A90B98841AE87929D9B28D2FFF576A66E0CEAB95A82996637012671E3AE1DBB02171D77C9EFDAA176EFE2BFB381714D166A7AF9AB570CCC863813A8CC02AA97637CEE3',
0|index  |       bits: 2048,
0|index  |       exponent: '0x10001',
0|index  |       pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a9 ff 9c 7f 45 1e 70 a8 53 9f ca d9 e5 0d de 46 57 ... 244 more bytes>,
0|index  |       valid_from: 'Dec 13 09:00:00 2023 GMT',
0|index  |       valid_to: 'Feb 20 14:00:00 2029 GMT',
0|index  |       fingerprint: '66:E4:16:12:60:B1:00:FE:E0:DE:28:7A:9A:52:93:B4:C2:22:4A:E6',
0|index  |       fingerprint256: 'E6:FE:22:BF:45:E4:F0:D3:B8:5C:59:E0:2C:0F:49:54:18:E1:EB:8D:32:10:F7:88:D4:8C:D5:E1:CB:54:7C:D4',
0|index  |       fingerprint512: 'B0:2E:6C:6B:67:2A:91:2C:D0:9F:78:F6:E0:F4:BC:7E:90:FC:CF:2C:1A:98:35:E9:D1:F3:36:44:28:00:33:4D:7C:81:F1:A0:57:03:5C:12:51:52:4B:17:EF:19:8A:26:F8:FE:8A:3C:96:AB:2F:E7:54:BA:5C:F5:14:33:FD:A6',
0|index  |       ext_key_usage: [Array],
0|index  |       serialNumber: '7FF005A07C4CDED100AD9D66A5107B98',
0|index  |       raw: <Buffer 30 82 05 0b 30 82 02 f3 a0 03 02 01 02 02 10 7f f0 05 a0 7c 4c de d1 00 ad 9d 66 a5 10 7b 98 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 47 31 0b ... 1245 more bytes>,
0|index  |       issuerCertificate: [Object]
0|index  |     }
0|index  |   },
0|index  |   code: 'ERR_TLS_CERT_ALTNAME_INVALID'
0|index  | }

Debug File

Environment

@distube/ytdl-core version:
Node.js version: 18.20.4
Operating system: Linux

templth commented 1 month ago

I found out that I have this behavior only when I use the code within an Express application. I works fine within a simple application.

skick1234 commented 1 month ago

@distube/ytdl-core uses undici's ProxyAgent option on this case, I cannot fix their problem. You can check their issues for more information: https://github.com/nodejs/undici/issues.

templth commented 1 month ago

Thanks for you answer !

Just posted a question on their github: https://github.com/nodejs/undici/issues/3437.

templth commented 1 month ago

@skick1234 Which proxy provider do you use to test this feature?