ECDSA certificates not supported

[orenh1]

I use a TLS certificate from Let's Encrypt, which react-scripts finds through the ".env" file (using the environment variables SSL_CRT_FILE and SSL_KEY_FILE). Recently I renewed the certificate and changed its type from RSA to ECDSA (because Let's Encrypt recommends this). This caused the following error to appear when I run "yarn start":

The certificate "XXXXXX\fullchain.pem" is invalid.
error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype

I tried recreating my 'node_modules' directory but that didn't help. I downgraded back to an RSA certificate and the problem disappeared.

[justin-tay]

This is because the validateKeyAndCerts function at https://github.com/facebook/create-react-app/blob/bb64e31a81eb12d688c14713dce812143688750a/packages/react-scripts/config/getHttpsConfig.js#L19 incorrectly assumes that the key can be used for encrypt/decrypt when attempting to validate the key. This is true for RSA keys but false for EC keys. Either the validation should be removed or changed to check that sign/verify is successful.

[SimonHooker]

@orenh1 submitted a PR https://github.com/facebook/create-react-app/pull/13123 which is able to validate ECDSA without impacting standard functionality.

[SomervilleTom]

I see the PR (thank you!). This PR moves but does not solve the issue in my app.

It appears to me that I have no choice except to generate an RSA (instead of the default ECDSA) from certbot.

According to the PR, it changes only one file ('getHttpsConfig.js').

I folded those changes into my app by hand and stepped through the code in a VSC debugger to show that the change allows that specific routine to finish without errors.

However, the app fails with a different error later. Here is the output of yarn start from the command line in the project directory:

Starting the development server...

/home/tms/frontend/gate_dashboard/node_modules/react-scripts/scripts/start.js:19
  throw err;
  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:71:19)
    at Object.createHash (node:crypto:140:10)
    at module.exports (/home/tms/frontend/gate_dashboard/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/tms/frontend/gate_dashboard/node_modules/webpack/lib/NormalModule.js:417:16)
    at /home/tms/frontend/gate_dashboard/node_modules/webpack/lib/NormalModule.js:452:10
    at /home/tms/frontend/gate_dashboard/node_modules/webpack/lib/NormalModule.js:323:13
    at /home/tms/frontend/gate_dashboard/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /home/tms/frontend/gate_dashboard/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/home/tms/frontend/gate_dashboard/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /home/tms/frontend/gate_dashboard/node_modules/react-scripts/node_modules/babel-loader/lib/index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v19.8.1
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

[SomervilleTom]

I was able to get CRA to sort-of work by updating 'react-scripts' and then applying the above PR.

I upgraded using yarn:

yarn remove react-scripts
yarn add react-scripts

This upgraded react-scripts to "^5.0.1".

I then edited "getHttpsConfig.js" as per the changes in the above PR.

When I run the app using "yarn start", I get the following complaints in the debug console:

(node:18650) [DEP_WEBPACK_DEV_SERVER_HTTPS] DeprecationWarning: 'https' option is deprecated. Please use the 'server' option.
(Use `node --trace-deprecation ...` to show where the warning was created)
(node:18650) [DEP_WEBPACK_DEV_SERVER_ON_AFTER_SETUP_MIDDLEWARE] DeprecationWarning: 'onAfterSetupMiddleware' option is deprecated. Please use the 'setupMiddlewares' option.
(node:18650) [DEP_WEBPACK_DEV_SERVER_ON_BEFORE_SETUP_MIDDLEWARE] DeprecationWarning: 'onBeforeSetupMiddleware' option is deprecated. Please use the 'setupMiddlewares' option.

I'm ignoring these, at least for now.