search

ironstar-io / tokaido

Zero-conf Drupal Local Development Environments with Docker
https://tokaido.io
BSD 3-Clause "New" or "Revised" License
57 stars 10 forks source link

Certs are not valid according to NPM #240

Closed BrianGilbert closed 4 years ago

BrianGilbert commented 4 years ago

What happened: Using a tokaido backend and a nuxt project as a decoupled frontend when npm tried to access the local tok site we got errors from npm that the certificate can't be verified

npm run dev

> druxt-demo@0.1.0 dev /Users/brian/Projects/druxt/druxt-demo
> nuxt

   ╭───────────────────────────────────────╮
   │                                       │
   │   Nuxt.js @ v2.13.3                   │
   │                                       │
   │   ▸ Environment: development          │
   │   ▸ Rendering:   server-side          │
   │   ▸ Target:      server               │
   │                                       │
   │   Listening: http://localhost:3000/   │
   │                                       │
   ╰───────────────────────────────────────╯

ℹ Preparing project for development                                                                                                                                                                                                                                                 15:12:59
ℹ Initial build may take a while                                                                                                                                                                                                                                                    15:12:59
✔ Builder initialized                                                                                                                                                                                                                                                               15:12:59

 FATAL  unable to verify the first certificate                                                                                                                                                                                                                                      15:12:59

  at TLSSocket.onConnectSecure (_tls_wrap.js:1498:34)
  at TLSSocket.emit (events.js:314:20)
  at TLSSocket.EventEmitter.emit (domain.js:486:12)
  at TLSSocket._finishInit (_tls_wrap.js:933:8)
  at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:707:12)

   ╭───────────────────────────────────────────────────╮
   │                                                   │
   │   ✖ Nuxt Fatal Error                              │
   │                                                   │
   │   Error: unable to verify the first certificate   │
   │                                                   │
   ╰───────────────────────────────────────────────────╯

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! druxt-demo@0.1.0 dev: `nuxt`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the druxt-demo@0.1.0 dev script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

What you expected to happen: npm was able to contact the tokaido backend

How to reproduce it (as minimally and precisely as possible): happy to screenshare this, as hard to replicate without correct setup.

Anything else we need to know?: checking the cert with open SSL shows that it has verification issues

$ openssl s_client -showcerts \
  -connect test.local.tokaido.io:32786
CONNECTED(00000003)
depth=0 C = JP, ST = Osaka, L = Shin-Osaka, O = Tokaido Proxy Service, CN = *.local.tokaido.io
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Osaka, L = Shin-Osaka, O = Tokaido Proxy Service, CN = *.local.tokaido.io
verify error:num=21:unable to verify the first certificate
verify return:1

Environment:

Additional context Add any other context about the problem here.

I think this could likely be resolved by changing the certificate creation process to use mkcert (which is supported on windows, linux, and mac) instead https://github.com/FiloSottile/mkcert mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.

Alternatively you could generate a *.local.tokaido.io cert from a server that letsencryp can access at port 80, and transfer it to the users computer (with the problem of it needing to be updated every 90 days.)

Another alternative (though OS limited probably) https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

BrianGilbert commented 4 years ago

I found a solution for this:

export NODE_EXTRA_CA_CERTS='/Users/brian/.tok/tls/ca/ca.crt'

I have added this export to my teminal startup script and can confirm this resolves the issue across multiple reboots of the machine.

It might be worth echoing this information out on tokaido installation?

ironmike-au commented 4 years ago

Glad to hear you fixed this Brian. For now, I don't want to modify the output with this, although I appreciate the suggestion, as I think it just clutters up the output too much with information the user most likely doesn't need.