search

jspm / project

Roadmap and management repo for the jspm project
161 stars 8 forks source link

[ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: ga.jspm.io. is not in the cert's altnames: DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com #311

Closed ArtieReus closed 11 months ago

ArtieReus commented 11 months ago

Since today I am encountering a recurring error when attempting to fetch from our CI resources from the ga.jspm.io.

Example: https://ga.jspm.io/npm:@tanstack/query-core@4.36.1/build/lib/index.mjs.map

Error: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: ga.jspm.io. is not in the cert's altnames: DNS:.rbxcdn.com, DNS:.cachefly.net, DNS:rbxcdn.com

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: ga.jspm.io. is not in the cert's altnames: DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com
    at new NodeError (node:internal/errors:405:5)
    at Object.checkServerIdentity (node:tls:337:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1610:27)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12) {
  reason: "Host: ga.jspm.io. is not in the cert's altnames: DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com",
  host: 'ga.jspm.io',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'Illinois',
      L: 'Chicago',
      O: 'Cachenetworks, LLC',
      CN: '*.rbxcdn.com'
    },
    issuer: [Object: null prototype] {
      C: 'BE',
      O: 'GlobalSign nv-sa',
      CN: 'GlobalSign ECC OV SSL CA 2018'
    },
    subjectaltname: 'DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com',
    infoAccess: [Object: null prototype] {
      'CA Issuers - URI': [ 'http://secure.globalsign.com/cacert/gseccovsslca2018.crt' ],
      'OCSP - URI': [ 'http://ocsp.globalsign.com/gseccovsslca2018' ]
    },
    ca: false,
    bits: 256,
    pubkey: Buffer(65) [Uint8Array] [
        4,  36, 195, 143, 223, 247, 241, 105, 215,  31,  88,
       62, 110,  16, 159, 111,  13, 104, 244, 232,  67, 160,
      139, 230,  17, 232, 245, 112,  11,  42, 182, 130,  55,
       11, 122,  84,  60,  26, 110,  46, 178, 191,  48, 160,
       82, 238,  14, 101,  81, 245,  43,  49,  18,  95,  60,
       77,  88,   0, 116,  26,  22,  38,  49,  11,  67
    ],
    asn1Curve: 'prime256v1',
    nistCurve: 'P-256',
    valid_from: 'Nov 18 00:01:02 2022 GMT',
    valid_to: 'Dec 20 00:01:01 2023 GMT',
    fingerprint: 'C3:6F:4B:5C:0E:DB:55:7A:5A:10:E5:90:29:43:77:09:6F:50:86:EE',
    fingerprint256: '3B:CB:25:DA:E0:3F:55:9F:8D:57:CA:31:C7:17:12:7F:21:BE:5A:A5:BB:2A:FA:E5:48:6A:4D:30:D4:22:86:1F',
    fingerprint512: 'CC:45:2B:E9:7D:F5:B1:82:ED:71:C8:5C:FC:DA:30:6F:D3:90:E7:A0:79:98:47:26:9D:E6:1C:91:1C:CD:18:B9:A8:42:98:3E:70:A9:73:AA:A9:AF:FF:7C:24:A9:24:28:D1:0A:30:A2:7D:99:1C:5D:9D:A9:8B:4C:C3:EF:28:6D',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
    serialNumber: '24804D6D2C53D7B3D62BFE06',
    raw: Buffer(1269) [Uint8Array] [
       48, 130,   4, 241,  48, 130,   4, 119, 160,   3,   2,   1,
        2,   2,  12,  36, 128,  77, 109,  44,  83, 215, 179, 214,
       43, 254,   6,  48,  10,   6,   8,  42, 134,  72, 206,  61,
        4,   3,   3,  48,  80,  49,  11,  48,   9,   6,   3,  85,
        4,   6,  19,   2,  66,  69,  49,  25,  48,  23,   6,   3,
       85,   4,  10,  19,  16,  71, 108, 111,  98,  97, 108,  83,
      105, 103, 110,  32, 110, 118,  45, 115,  97,  49,  38,  48,
       36,   6,   3,  85,   4,   3,  19,  29,  71, 108, 111,  98,
       97, 108,  83, 105,
      ... 1169 more items
    ],
    issuerCertificate: {
      subject: [Object: null prototype] {
        C: 'BE',
        O: 'GlobalSign nv-sa',
        CN: 'GlobalSign ECC OV SSL CA 2018'
      },
      issuer: [Object: null prototype] {
        OU: 'GlobalSign ECC Root CA - R5',
        O: 'GlobalSign',
        CN: 'GlobalSign'
      },
      infoAccess: [Object: null prototype] {
        'OCSP - URI': [ 'http://ocsp2.globalsign.com/rootr5' ]
      },
      ca: true,
      bits: 384,
      pubkey: Buffer(97) [Uint8Array] [
          4, 195, 161,  17, 141, 101,  35, 225, 150, 225, 187, 171,
        166, 208,   3,  93,  79,  77, 237,  25,  15, 252, 113, 227,
        132,  37,  21, 169, 181,   4, 206,  30,  45, 227, 126, 193,
        248,  48, 106,  91,  27, 146,  60, 192,  68,  35,  61, 178,
         47, 223, 157,   7, 138,  54, 210, 128, 150,   3, 102,  52,
        225, 211, 153,  93, 213, 127,   1, 155, 161, 200, 250, 251,
        109, 135,  85, 102, 110,  85, 229, 255,  85, 226,   6, 161,
        104, 117, 187, 178, 227, 107, 243,  67,  19, 180, 108,  93,
        160
      ],
      asn1Curve: 'secp384r1',
      nistCurve: 'P-384',
      valid_from: 'Nov 21 00:00:00 2018 GMT',
      valid_to: 'Nov 21 00:00:00 2028 GMT',
      fingerprint: '95:3E:42:EE:8D:62:7C:ED:52:B9:6A:DF:C0:22:26:B5:DE:13:04:17',
      fingerprint256: '87:C7:15:53:44:5E:B3:C3:3C:3E:07:10:71:1B:99:E9:C7:77:3F:04:D9:1A:C3:8A:9F:4C:08:2E:E2:41:01:EA',
      fingerprint512: '3C:9A:6B:69:B7:A0:F1:98:E3:EB:19:82:56:8A:97:50:DD:DA:73:83:39:06:EF:EE:76:4D:E7:7D:FF:19:C2:E6:56:73:29:9B:9E:9C:0F:30:E2:42:98:3F:13:67:9B:D8:F8:B3:D0:CF:8C:FE:77:59:58:64:CE:76:30:B2:7F:01',
      serialNumber: '01EE5F2295424905F90191A8DC',
      raw: Buffer(774) [Uint8Array] [
         48, 130,   3,   2,  48, 130,   2, 137, 160,   3,   2,   1,
          2,   2,  13,   1, 238,  95,  34, 149,  66,  73,   5, 249,
          1, 145, 168, 220,  48,  10,   6,   8,  42, 134,  72, 206,
         61,   4,   3,   3,  48,  80,  49,  36,  48,  34,   6,   3,
         85,   4,  11,  19,  27,  71, 108, 111,  98,  97, 108,  83,
        105, 103, 110,  32,  69,  67,  67,  32,  82, 111, 111, 116,
         32,  67,  65,  32,  45,  32,  82,  53,  49,  19,  48,  17,
          6,   3,  85,   4,  10,  19,  10,  71, 108, 111,  98,  97,
        108,  83, 105, 103,
        ... 674 more items
      ],
      issuerCertificate: <ref *1> {
        subject: [Object: null prototype] {
          OU: 'GlobalSign ECC Root CA - R5',
          O: 'GlobalSign',
          CN: 'GlobalSign'
        },
        issuer: [Object: null prototype] {
          OU: 'GlobalSign ECC Root CA - R5',
          O: 'GlobalSign',
          CN: 'GlobalSign'
        },
        ca: true,
        bits: 384,
        pubkey: Buffer(97) [Uint8Array] [
            4,  71,  69,  14, 150, 251, 125,  93, 191, 233,  57, 209,
           33, 248, 159,  11, 182, 213, 123,  30, 146,  58,  72,  89,
           28, 240,  98,  49,  45, 192, 122,  40, 254,  26, 167,  92,
          179, 182, 204, 151, 231,  69, 212,  88, 250, 209, 119, 109,
           67, 162, 192, 135, 101,  52,  10,  31, 122, 221, 235,  60,
           51, 161, 197, 157,  77, 164, 111,  65, 149,  56, 127, 201,
           30, 132, 235, 209, 158,  73, 146, 135, 148, 135,  12,  58,
          133,  74, 102, 159, 157,  89, 147,  77, 151,  97,   6, 134,
           74
        ],
        asn1Curve: 'secp384r1',
        nistCurve: 'P-384',
        valid_from: 'Nov 13 00:00:00 2012 GMT',
        valid_to: 'Jan 19 03:14:07 2038 GMT',
        fingerprint: '1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA',
        fingerprint256: '17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24',
        fingerprint512: '22:D9:4D:FA:10:7A:BA:9A:55:6B:4A:B6:57:AE:07:2F:B5:A6:7E:77:68:23:1D:75:DB:4E:BF:B6:3B:8D:E6:D4:17:F4:7D:66:A2:E0:CB:6C:96:EE:D4:82:75:6A:B8:17:2A:7F:7A:9A:F3:76:0C:7D:F9:99:7F:9F:12:C4:BE:4D',
        serialNumber: '605949E0262EBB55F90A778A71F94AD86C',
        raw: Buffer(546) [Uint8Array] [
           48, 130,   2,  30,  48, 130,   1, 164, 160,   3,   2,   1,
            2,   2,  17,  96,  89,  73, 224,  38,  46, 187,  85, 249,
           10, 119, 138, 113, 249,  74, 216, 108,  48,  10,   6,   8,
           42, 134,  72, 206,  61,   4,   3,   3,  48,  80,  49,  36,
           48,  34,   6,   3,  85,   4,  11,  19,  27,  71, 108, 111,
           98,  97, 108,  83, 105, 103, 110,  32,  69,  67,  67,  32,
           82, 111, 111, 116,  32,  67,  65,  32,  45,  32,  82,  53,
           49,  19,  48,  17,   6,   3,  85,   4,  10,  19,  10,  71,
          108, 111,  98,  97,
          ... 446 more items
        ],
        issuerCertificate: [Circular *1]
      }
    }
  },
  code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}

Node.js v18.18.2

Has this somthing with the transition to CacheFly CDN??

ArtieReus commented 11 months ago

Retrieving the certificate from my local machine sometimes appears to be correct:

Alternative Name: DNS:ga.jspm.io, DNS:jspm.dev, DNS:ga.system.jspm.io, DNS:da.jspm.io, DNS:da.opt.jspm.io, DNS:dev.jspm.io

openssl s_client -connect ga.jspm.io:443 | openssl x509 -text -noout
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 CN = ga.jspm.io, O = "Cachenetworks, LLC", L = Chicago, ST = Illinois, C = US
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:69:35:f9:be:b1:a3:ab:90:81:69:25
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
        Validity
            Not Before: Aug 30 16:11:02 2023 GMT
            Not After : Sep 30 16:11:01 2024 GMT
        Subject: CN = ga.jspm.io, O = "Cachenetworks, LLC", L = Chicago, ST = Illinois, C = US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cf:b3:a0:d8:00:57:ca:b4:75:cc:88:e2:02:35:
                    ab:05:0f:9c:1b:29:eb:3f:67:da:e3:bd:00:72:b3:
                    07:94:1a:00:a5:d4:fe:2b:b9:e7:2f:38:c4:01:f4:
                    1c:53:24:42:a9:e4:e9:39:62:c2:ec:2f:a5:f2:97:
                    2f:5e:ee:82:16:5c:c2:18:3a:67:6e:f9:98:58:ab:
                    35:92:99:03:1c:23:b3:29:e5:76:e0:d3:7a:45:07:
                    1e:fa:8e:c1:c3:30:4f:6a:ab:57:77:00:0d:95:69:
                    8f:e9:73:51:0c:0e:18:96:4d:ef:c6:43:33:98:e7:
                    a7:74:4c:18:eb:2d:b6:4e:f8:01:87:2a:2e:02:cf:
                    9d:a7:b2:1c:84:e1:22:c3:8a:de:eb:49:9a:52:b6:
                    28:dc:dc:fd:ec:43:5b:05:cb:86:fd:36:ce:99:ea:
                    15:3e:13:dc:ba:50:63:80:7a:22:5a:c7:5d:b6:6f:
                    06:29:b2:89:19:b5:72:c8:35:03:33:12:6c:16:9d:
                    43:c4:96:77:81:73:cc:41:2c:7d:7c:28:a4:bf:3a:
                    84:2b:6a:25:b9:77:e6:ad:b1:81:ae:c8:bb:72:60:
                    72:b4:e9:ba:dc:96:1c:e7:ba:a2:3f:2a:03:74:ba:
                    f2:50:90:e6:ed:9c:7f:a3:c7:5c:35:ee:6f:de:5c:
                    3a:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            Authority Information Access:
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
                OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: https://www.globalsign.com/repository/
                Policy: 2.23.140.1.2.2
            X509v3 Subject Alternative Name:
                DNS:ga.jspm.io, DNS:jspm.dev, DNS:ga.system.jspm.io, DNS:da.jspm.io, DNS:da.opt.jspm.io, DNS:dev.jspm.io
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
                F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB
            X509v3 Subject Key Identifier:
                F4:A1:FA:C4:3D:EA:0F:5A:69:40:88:57:D2:54:42:AC:D1:E5:55:79
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
                    Timestamp : Aug 30 16:11:04.420 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C9:F4:B1:78:08:19:6C:63:1E:7B:55:
                                FC:DD:FC:13:2C:01:58:82:AB:37:42:6B:61:E9:5F:07:
                                63:F6:A7:51:9D:02:20:40:D9:5E:A1:34:A2:11:C5:87:
                                12:41:02:F7:ED:B0:2A:84:70:D8:BB:00:BF:16:BC:5C:
                                80:15:5F:83:C2:9A:77
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Aug 30 16:11:04.803 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:08:38:46:B2:80:14:B1:CD:54:EA:96:A7:
                                24:1F:65:C8:0B:3B:63:F1:B3:D1:41:76:53:F7:0D:CF:
                                92:A8:18:A9:02:21:00:E7:2F:D9:E4:FA:A7:55:68:7A:
                                BF:58:08:42:0E:B6:33:B7:2A:0A:04:19:02:03:17:49:
                                B3:FE:A8:30:58:83:04
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
                                91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
                    Timestamp : Aug 30 16:11:04.054 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:66:3A:B3:6E:30:57:7E:43:C3:51:13:6F:
                                B5:73:9B:1C:2E:BD:9B:FA:FB:E3:68:22:97:00:2A:E1:
                                73:C8:22:D8:02:20:7C:9D:01:64:BC:3F:F1:8B:F9:2D:
                                BF:8A:22:AA:99:48:3B:47:69:B2:84:2E:3D:67:2B:8D:
                                ED:45:70:98:9A:FC
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0e:90:a0:fa:2e:72:08:b0:88:0f:25:53:ce:3b:a8:9d:3b:df:
        d6:5f:91:60:96:1a:b9:1f:78:9a:c4:75:b9:f5:d3:37:f7:a3:
        94:88:30:26:34:76:5c:7f:99:6a:5f:70:7a:88:59:f3:5c:ed:
        60:21:77:e5:7c:bb:2a:0b:bb:86:95:a1:34:ea:89:e3:3e:f1:
        81:78:e6:37:c3:1c:b3:8a:4e:63:57:3c:b7:d8:40:fa:12:f4:
        71:0c:bc:97:d8:16:1f:d9:cd:40:3e:95:6e:d5:0a:6d:64:c6:
        bf:0d:de:ee:ba:d0:b7:39:15:bb:f5:bc:e4:67:26:7a:2e:a1:
        a0:d9:b9:12:ce:34:3e:5a:bb:bb:c0:c2:f3:21:8a:d2:ac:fc:
        37:c3:9d:09:0c:7c:54:bd:c0:a2:a0:6d:2d:89:4f:ab:5e:74:
        76:29:84:24:ee:65:f2:b4:4b:1e:a0:6f:2e:d3:f5:5a:8a:d1:
        11:ed:f7:4b:3d:0b:60:66:43:ab:d7:c5:d2:79:7b:78:2d:c2:
        33:1d:3f:d4:0f:7f:16:da:24:b4:be:2e:8e:f6:7c:f5:7b:7c:
        fd:c5:08:69:59:06:19:41:41:ce:59:11:cc:0f:5b:09:e2:c5:
        77:32:61:f4:79:3d:b0:ff:e7:73:f1:17:07:ee:3e:91:ff:fb:
        b7:79:e3:a9
guybedford commented 11 months ago

Thanks for sharing, CacheFly did have some instability yesterday - https://www.cacheflystatus.com/. Did you experience this yesterday or today?

If you can share a debug dump from https://cachefly.cachefly.net/CacheFlyDebug that would help to follow-up further.

ArtieReus commented 11 months ago

We encountered the issue for the first time today, and it persists in our CI. Additionally, we occasionally observe the issue when reproducing it from the browser (see picture).

image

What do you mean exactly with debug dump from https://cachefly.cachefly.net/CacheFlyDebug??

guybedford commented 11 months ago

What do you mean exactly with debug dump from https://cachefly.cachefly.net/CacheFlyDebug ??

@ArtieReus can you share the network base64 data from that URL?

ArtieReus commented 11 months ago

sure:

pM3LyMLjhLi4m5ChsmRgZFadmqWcl6+Hdqluv4/BzJLX2JKZs9qC7MiolIjW4NFacpCVmZt0nq1WpZSmTpmeppRRm5+PUZiak5OWkYl8brzJxNjZ55ZsU4a4ltnayqyHdrSV4NHd3I7Fk5Lo5OmFsW54pVmVmpJWcZOVnJN7jO+J2IGoUJaYo5NRm6OPUpefgcXH2XTR093Mkp6hqWFSppLSiKiYl62rmpZZo52fl1mB6Indj65Zl2uOlECCz8KDq8aD0dOv4NyX5cWTV6CF29OJ1t7YjsaMkpeCbZXh1tDha5h6mVFSU3vEu7i6xpq3qoWO29Hdy5lrk0CZj9Boxq6z0UCfqoFPTYGDiIWhsrxnwMDFb7Sqz4VdoIyzZbW8sK+mqKZ5hI+IgcvDvIN7g3TOrry0rsi7uap9jKysh0/T1I2o1+mE5sTho2yxraVllY/T0NVQjJlAl7zEda23y8Rztr6qbqnJgZ6gg16PhI+IvMK1yoZ3hnTOtbi8scm+yYVdqo+1rHRrk0CZj9Bjxq/CuW62y7V5k6bAiKKEjINAl4GTe6u0wLllsMDAbKe6qLWqwHSsoo9ygZCQmYyFdnK4uMfHt7vHscJAqa2OlmPC1ojeteGZu8bQ6YdsjIFAY7y1rbabscx01rbFacWFr6NAka/Cg8rRp83bp7nR2dZygZCQmYx2gmPEtbi2vdnPvq59jKysh0+k1IPh1LuM8KXT1pXJdoFAY4G+rLSJwcZlxbXScre0xsJAn6qBT8XNxMnHycDok93Pyt7opmJgZFGdoaLQ3efmdoVAjI/JumWzyWXLzsVyxrW9t2+uyYFdgYGrvLmWm6pOqGuTQIiFzbdlr7u1ZcGtpaW0wHSsoo+ZmqOeqmdgZVKjlqhyiZqajMBysby9u2XAw2/Lw9JAtJ+OfkCCjIF7lqa1vqqYy7pku7PQQKWjkpZQkKORTpmcj5KSnF6PhI+IvMO1y4d3hX+/t8W8xpq3qoVYnHmOh0CBznO+wctlycC8tW2nyYFdgYFtiIVmjNRoy7XDf7C0xbl9gqmfQMXNxMnHycDoktLJxNjV352rYY7U3H2IiZqax610wL/Nv3+kuXK+sMF/wLHLlF2gjJJZdo+UnpN4nq1OrGuTQIiFza10trzAeMGvp7OnpKDOt7i4vpCtt1FjY06mmKGfmairnJ4qjI+Oh3upx3TJzs1/uqfAuWGuy7RwkrO3xYWDqplYp2uTQIiFza10trzAY6OvqabBpqO9uMG3rc2Qtm9SoIHnldTPzreqdoVAjI/Jr3S1w3/MtLh/uqnNyWG/jJ5eY4Om0Ne12eKV5IOulqWHo5ZYhJiBQqnb0MjOyHSyzOHXztWStKdvVVGgoJWUiZzI29ldra6w2YHP10K05bJCsJqQfkCCjIF7i7W3uMSZsbx/uqnSdanEv7Riq7imfYKpn4Ghk16PhI+IvLjEzYGRhmWyx7awyM+7y7VsrcO0tnKu0EC2rZVC5MLRw3OEdoFAY4G+sLmavNh1x6jFYayq0a5utbGkdbSxwLOntKm0t8O7vpCtt1FjPUCPiJPDsc7OvMR1v7TAxmGouG7NzJVdtYG745rL2M2BcpaRmIVuudqD4M/nj9vNrYVp0ODGjIK5wsSCsqePvI+Zkc+hrpBpXECw2OPUztHfzrCJ4J6jmlePplaZl8Boy666oEDO1cyFY6jIy9C1lZlj39Pijc2Uo5ZYkJyPUJCcgbTDybXhzZ6dlKeerGc8U0CPiM6wvc7Ky6Zjr7S+u32BsF6Z49qY65DW6I3OmMKQs83My8a61eiOptnblNXRnd2NzpjCkNLYysTD173e0p7gztyr6m5iYVmb0eDJ0N+pzduJ0pvX1IHI2E/w1NeQo8rb1YfHm8KQsciPkpRwp+pdp4+rTMnV4tGJxc3VidHakNTLysLUyJzN2dPY2p+ZmFvlpdWbpOu3nJNXdo+Oh0C8u3TNv9RzvKTNumW2r6l/lqq3rcJmqbdA5dDhhXKFkoVAvbS1dLLLtKalwpq0uLKwwL2/vXaPU12tiOHJ3+PhzdmFdo+Oh0C8u3TNv9RzvKTNumW2r6l/mLSousJmqbdAtpJ9QIiFksBotsCxf7WxpMCoqKiyrM6spsPE1lFvcUDT19bd1t/o4G9AjI+Owmi1x3DYsLhjvLHC02Wwr7BkjK+qxYWDqpmH8crjTIjJ18uMw+DGTILO02uCg3SPv7e8tcDPunR1eHDDx7+pt8HPraxlyY+rpUDF2E29tKGE3JzfsVCQpY2FsY64u6C3qalOr43YjqPWr5VOmXaBQIKMvKm2t6TOvM66prG82HqCkECsppOZoq2onZtOnqGilVWbqVGpqKwql4GOlHuytLF/lqavrsJmqbdApqTUg9DKuNGZptHDlcl2gYGCg6/BqcC9psPE2IV7gGXOrr+3qs7XjKJejKCkoFiZqVKxoqdOp5SjpiqCjIFAnrOoubqLv81/y6rAZcWFr6NAk6KaWJqik5mVlV6PhI+IvL/CwniPU12tiOjW0vK0do4q
ArtieReus commented 11 months ago

We have reduced the setup to following small script:

import https from "https"

const downloadFile = (url, path) => {
  return new Promise((resolve, reject) => {
    https
      .get(url, (response) => {
        console.log("done!!")
        resolve()
      })
      .on("error", (err) => {
        reject(err)
      })
  })
}

downloadFile(
  "https://ga.jspm.io/npm:@tanstack/react-query@4.28.0/build/lib/",
  "."
)

When executing this script iteratively between 3 and 10 times, it consistently encounters the ERR_TLS_CERT_ALTNAME_INVALID error at least once.

Error:

┗➜  node test.mjs
node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: ga.jspm.io. is not in the cert's altnames: DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com
    at new NodeError (node:internal/errors:405:5)
    at Object.checkServerIdentity (node:tls:337:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1610:27)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12) {
  reason: "Host: ga.jspm.io. is not in the cert's altnames: DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com",
  host: 'ga.jspm.io',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'Illinois',
      L: 'Chicago',
      O: 'Cachenetworks, LLC',
      CN: '*.rbxcdn.com'
    },
    issuer: [Object: null prototype] {
      C: 'BE',
      O: 'GlobalSign nv-sa',
      CN: 'GlobalSign ECC OV SSL CA 2018'
    },
    subjectaltname: 'DNS:*.rbxcdn.com, DNS:*.cachefly.net, DNS:rbxcdn.com',
    infoAccess: [Object: null prototype] {
      'CA Issuers - URI': [ 'http://secure.globalsign.com/cacert/gseccovsslca2018.crt' ],
      'OCSP - URI': [ 'http://ocsp.globalsign.com/gseccovsslca2018' ]
    },
    ca: false,
    bits: 256,
    pubkey: Buffer(65) [Uint8Array] [
        4,  36, 195, 143, 223, 247, 241, 105, 215,  31,  88,
       62, 110,  16, 159, 111,  13, 104, 244, 232,  67, 160,
      139, 230,  17, 232, 245, 112,  11,  42, 182, 130,  55,
       11, 122,  84,  60,  26, 110,  46, 178, 191,  48, 160,
       82, 238,  14, 101,  81, 245,  43,  49,  18,  95,  60,
       77,  88,   0, 116,  26,  22,  38,  49,  11,  67
    ],
    asn1Curve: 'prime256v1',
    nistCurve: 'P-256',
    valid_from: 'Nov 18 00:01:02 2022 GMT',
    valid_to: 'Dec 20 00:01:01 2023 GMT',
    fingerprint: 'C3:6F:4B:5C:0E:DB:55:7A:5A:10:E5:90:29:43:77:09:6F:50:86:EE',
    fingerprint256: '3B:CB:25:DA:E0:3F:55:9F:8D:57:CA:31:C7:17:12:7F:21:BE:5A:A5:BB:2A:FA:E5:48:6A:4D:30:D4:22:86:1F',
    fingerprint512: 'CC:45:2B:E9:7D:F5:B1:82:ED:71:C8:5C:FC:DA:30:6F:D3:90:E7:A0:79:98:47:26:9D:E6:1C:91:1C:CD:18:B9:A8:42:98:3E:70:A9:73:AA:A9:AF:FF:7C:24:A9:24:28:D1:0A:30:A2:7D:99:1C:5D:9D:A9:8B:4C:C3:EF:28:6D',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
    serialNumber: '24804D6D2C53D7B3D62BFE06',
    raw: Buffer(1269) [Uint8Array] [
       48, 130,   4, 241,  48, 130,   4, 119, 160,   3,   2,   1,
        2,   2,  12,  36, 128,  77, 109,  44,  83, 215, 179, 214,
       43, 254,   6,  48,  10,   6,   8,  42, 134,  72, 206,  61,
        4,   3,   3,  48,  80,  49,  11,  48,   9,   6,   3,  85,
        4,   6,  19,   2,  66,  69,  49,  25,  48,  23,   6,   3,
       85,   4,  10,  19,  16,  71, 108, 111,  98,  97, 108,  83,
      105, 103, 110,  32, 110, 118,  45, 115,  97,  49,  38,  48,
       36,   6,   3,  85,   4,   3,  19,  29,  71, 108, 111,  98,
       97, 108,  83, 105,
      ... 1169 more items
    ],
    issuerCertificate: {
      subject: [Object: null prototype] {
        C: 'BE',
        O: 'GlobalSign nv-sa',
        CN: 'GlobalSign ECC OV SSL CA 2018'
      },
      issuer: [Object: null prototype] {
        OU: 'GlobalSign ECC Root CA - R5',
        O: 'GlobalSign',
        CN: 'GlobalSign'
      },
      infoAccess: [Object: null prototype] {
        'OCSP - URI': [ 'http://ocsp2.globalsign.com/rootr5' ]
      },
      ca: true,
      bits: 384,
      pubkey: Buffer(97) [Uint8Array] [
          4, 195, 161,  17, 141, 101,  35, 225, 150, 225, 187, 171,
        166, 208,   3,  93,  79,  77, 237,  25,  15, 252, 113, 227,
        132,  37,  21, 169, 181,   4, 206,  30,  45, 227, 126, 193,
        248,  48, 106,  91,  27, 146,  60, 192,  68,  35,  61, 178,
         47, 223, 157,   7, 138,  54, 210, 128, 150,   3, 102,  52,
        225, 211, 153,  93, 213, 127,   1, 155, 161, 200, 250, 251,
        109, 135,  85, 102, 110,  85, 229, 255,  85, 226,   6, 161,
        104, 117, 187, 178, 227, 107, 243,  67,  19, 180, 108,  93,
        160
      ],
      asn1Curve: 'secp384r1',
      nistCurve: 'P-384',
      valid_from: 'Nov 21 00:00:00 2018 GMT',
      valid_to: 'Nov 21 00:00:00 2028 GMT',
      fingerprint: '95:3E:42:EE:8D:62:7C:ED:52:B9:6A:DF:C0:22:26:B5:DE:13:04:17',
      fingerprint256: '87:C7:15:53:44:5E:B3:C3:3C:3E:07:10:71:1B:99:E9:C7:77:3F:04:D9:1A:C3:8A:9F:4C:08:2E:E2:41:01:EA',
      fingerprint512: '3C:9A:6B:69:B7:A0:F1:98:E3:EB:19:82:56:8A:97:50:DD:DA:73:83:39:06:EF:EE:76:4D:E7:7D:FF:19:C2:E6:56:73:29:9B:9E:9C:0F:30:E2:42:98:3F:13:67:9B:D8:F8:B3:D0:CF:8C:FE:77:59:58:64:CE:76:30:B2:7F:01',
      serialNumber: '01EE5F2295424905F90191A8DC',
      raw: Buffer(774) [Uint8Array] [
         48, 130,   3,   2,  48, 130,   2, 137, 160,   3,   2,   1,
          2,   2,  13,   1, 238,  95,  34, 149,  66,  73,   5, 249,
          1, 145, 168, 220,  48,  10,   6,   8,  42, 134,  72, 206,
         61,   4,   3,   3,  48,  80,  49,  36,  48,  34,   6,   3,
         85,   4,  11,  19,  27,  71, 108, 111,  98,  97, 108,  83,
        105, 103, 110,  32,  69,  67,  67,  32,  82, 111, 111, 116,
         32,  67,  65,  32,  45,  32,  82,  53,  49,  19,  48,  17,
          6,   3,  85,   4,  10,  19,  10,  71, 108, 111,  98,  97,
        108,  83, 105, 103,
        ... 674 more items
      ],
      issuerCertificate: <ref *1> {
        subject: [Object: null prototype] {
          OU: 'GlobalSign ECC Root CA - R5',
          O: 'GlobalSign',
          CN: 'GlobalSign'
        },
        issuer: [Object: null prototype] {
          OU: 'GlobalSign ECC Root CA - R5',
          O: 'GlobalSign',
          CN: 'GlobalSign'
        },
        ca: true,
        bits: 384,
        pubkey: Buffer(97) [Uint8Array] [
            4,  71,  69,  14, 150, 251, 125,  93, 191, 233,  57, 209,
           33, 248, 159,  11, 182, 213, 123,  30, 146,  58,  72,  89,
           28, 240,  98,  49,  45, 192, 122,  40, 254,  26, 167,  92,
          179, 182, 204, 151, 231,  69, 212,  88, 250, 209, 119, 109,
           67, 162, 192, 135, 101,  52,  10,  31, 122, 221, 235,  60,
           51, 161, 197, 157,  77, 164, 111,  65, 149,  56, 127, 201,
           30, 132, 235, 209, 158,  73, 146, 135, 148, 135,  12,  58,
          133,  74, 102, 159, 157,  89, 147,  77, 151,  97,   6, 134,
           74
        ],
        asn1Curve: 'secp384r1',
        nistCurve: 'P-384',
        valid_from: 'Nov 13 00:00:00 2012 GMT',
        valid_to: 'Jan 19 03:14:07 2038 GMT',
        fingerprint: '1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA',
        fingerprint256: '17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24',
        fingerprint512: '22:D9:4D:FA:10:7A:BA:9A:55:6B:4A:B6:57:AE:07:2F:B5:A6:7E:77:68:23:1D:75:DB:4E:BF:B6:3B:8D:E6:D4:17:F4:7D:66:A2:E0:CB:6C:96:EE:D4:82:75:6A:B8:17:2A:7F:7A:9A:F3:76:0C:7D:F9:99:7F:9F:12:C4:BE:4D',
        serialNumber: '605949E0262EBB55F90A778A71F94AD86C',
        raw: Buffer(546) [Uint8Array] [
           48, 130,   2,  30,  48, 130,   1, 164, 160,   3,   2,   1,
            2,   2,  17,  96,  89,  73, 224,  38,  46, 187,  85, 249,
           10, 119, 138, 113, 249,  74, 216, 108,  48,  10,   6,   8,
           42, 134,  72, 206,  61,   4,   3,   3,  48,  80,  49,  36,
           48,  34,   6,   3,  85,   4,  11,  19,  27,  71, 108, 111,
           98,  97, 108,  83, 105, 103, 110,  32,  69,  67,  67,  32,
           82, 111, 111, 116,  32,  67,  65,  32,  45,  32,  82,  53,
           49,  19,  48,  17,   6,   3,  85,   4,  10,  19,  10,  71,
          108, 111,  98,  97,
          ... 446 more items
        ],
        issuerCertificate: [Circular *1]
      }
    }
  },
  code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}

Node.js v18.18.0

It appears to me that the load balancer intermittently redirects to a broken endpoint.

hgw77 commented 11 months ago

It appears the issue has been resolved? We implemented a more robust retry mechanism on our end and are no longer seeing any retries. From our perspective, everything looks good!

guybedford commented 11 months ago

I was informed by CacheFly that due to their stability issues yesterday (https://www.cacheflystatus.com/) they had setup a temporary routing at this POP, and that temporary route had not yet been deactivated. Thanks for reporting back on this.