search

grantila / fetch-h2

HTTP/1+2 Fetch API client for Node.js
MIT License
336 stars 16 forks source link

use multi wild-domains cert, got error #92

Closed sharper closed 4 years ago

sharper commented 4 years ago

multi wild-domains cert, SAN: .domain1.com, .domain2.com when use fetch-h2 access site (such as: www.domain2.com ) using multi wild-domains cert will got error: Error: unable to verify the first certificate.

grantila commented 4 years ago

Which version of fetch-h2 is this, and do you have a certificate to share?

This looks more like your CA is not trusted. Is it self-signed? Then you need to allow self-signed certificates. In either case, look here for the discussion: https://stackoverflow.com/questions/31673587/error-unable-to-verify-the-first-certificate-in-nodejs This is not fetch-h2 related per se.

If you want to allow self-signed certs, do:

setup( { session: { rejectUnauthorized: false } } );

before doing any fetch( ).

sharper commented 4 years ago

san.js 31 / san.ts 50 if subject.CN like: *.domain1.com,*.domain2.com
will throw exception: Invalid CN/subjectAltNames @grantila

grantila commented 4 years ago

Do you have a certificate I can test with? Doesn't look right, you can't have multiple names in subject.CN, you need to use SAN, so the error is correct.

sharper commented 4 years ago

Our a server crt, CN="*.wanscloud.com,*.ajyun.com.cn,*.ajcloud.net" and SAN = DNS: wanscloud.com, DNS:*.wanscloud.com, DNS:....

[Subject] E=support@ajcloud.net, CN="*.wanscloud.com,*.ajyun.com.cn,*.ajcloud.net", OU=Ajcloud Certification Authority, O="Nanjing Ajcloud Infotech Co., Ltd", C=CN

san.ts line: 50 name.match( /.*\*.*\*.*/ ) the regex for check subdomain, such as: *.*.domain1.com; but the regex make the CN like: *.domain1.com,*.domain2.com fail.

@grantila

grantila commented 4 years ago

Is this a valid certificate, to have multiple comma-separated domains (wildcard or not) in the CN fields? I don't think you're allowed to.

The CN (afaik) should only contain one domain, and the rest (including that in the CN) should be in the SAN.

Also, if you have a SAN, the CN can be ignored, although fetch-h2 doesn't ignore it - it would be allowed to ignore it.

Is this certificate created by a trusted well-known CA? Are browsers like Chrome and Firefox accepting it?

sharper commented 4 years ago

YES the self-signed certification can accepted by Chrome and Firefox , Microsoft Edge.

sharper commented 4 years ago

CN contains one domain, I also see other certs. I think to re-sign the cert, BUT all services should restart.

github-actions[bot] commented 4 years ago

:tada: This issue has been resolved in version 2.4.4 :tada:

The release is available on:

Your semantic-release bot :package::rocket: