Closed vermario closed 1 week ago
I am able to continue working with the project by adding this env var to our node service:
NODE_TLS_REJECT_UNAUTHORIZED: 0
But that's not great practice, and it does seem that something's up with the SSL configuration in this new version.
to try and debug this, I:
lando exec node -- bash
openssl s_client -connect next-drupal-starterkit.lndo.site:443
(that is the url of the drupal site, that I am able to reach via the browser no problem)
This is the result: openssl s_client -connect next-drupal-starterkit.lndo.site:443
CONNECTED(00000003)
---
Certificate chain
0 s:CN = next-drupal-starterkit.lndo.site, O = Lando System
i:CN = Lando Development CA, C = US, ST = California, L = Oakland, O = Lando Development CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/zCCAuegAwIBAgIFOTY0NzcwDQYJKoZIhvcNAQELBQAwcjEdMBsGA1UEAxMU
TGFuZG8gRGV2ZWxvcG1lbnQgQ0ExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR0wGwYDVQQKExRMYW5kbyBEZXZlbG9w
bWVudCBDQTAeFw0yNDEwMTUwNTIzMjNaFw0yNTEwMTUwNTIzMjNaMEIxKTAnBgNV
BAMTIG5leHQtZHJ1cGFsLXN0YXJ0ZXJraXQubG5kby5zaXRlMRUwEwYDVQQKEwxM
YW5kbyBTeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvvTo2
Pti62iRnnpSwg3SVw/PkwtsvXA45PxGwLONvtn4oSq6lX0/FguDi/IRhIitJJ+kc
G6fRZxlaVjB8HMuIibmjvLVx4Kl+NE7PVD3HltvtrkNUWa5qQ+8HePbzKuq3xnTg
SAedoB4ae8iaZjOHWvxUaQlaCfGv704mu4BuyUukHVgiJkB7TfzY2QhaghYtsaLp
jeTMiOe0vaO2DmKjbpfp29FUQ3gkEWaJRYkfp8Kx/HvNrg97jDn7v4WacVeg4oF7
oq9m9Su8tkkDk8KCXzBFYz6Cz36vSj+2bHGM3CabDSv6biLMX4R3+rWJLEAlnG43
rF0cFdQiZKU11seJAgMBAAGjgcswgcgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGIBgNVHREEgYAw
foIgbmV4dC1kcnVwYWwtc3RhcnRlcmtpdC5sbmRvLnNpdGWCCWxvY2FsaG9zdIIt
YXBwc2VydmVyX25naW54Lm5leHRkcnVwYWxzdGFydGVya2l0LmludGVybmFsgg9h
cHBzZXJ2ZXJfbmdpbniHBH8AAAGCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOC
AQEAcriOci2ERXqGOj5tAcId/dhVwOgFkmzKAHlNRR1gpWDEittMADJr0zZ1/tEP
bUfVK+pNFxCBhlofjOx5rYHWbAH/soVz40Xhe+iu3lV85QtoRac4Fqo7UfmcS7Vu
19SwYiUOO7c5HBFffqq9NDg5OuplPrbnsSSUkCjQw0RX0vqsXTO9uY1ri4OadIEp
9Quoy0n/bZWlfm4CorZvdsGIs3GfDJ2xb2/YHguIJNYqRe9dlO9reWj6r/SeypMk
BPO9VqpCYqnsdl1A0TLvs2OKesQq+PoAMtAODH3OhgRfWkQYyhORaZ5jd3Da4asX
77VdQX5A5YkkYQZqa6RDXCSHcw==
-----END CERTIFICATE-----
subject=CN = next-drupal-starterkit.lndo.site, O = Lando System
issuer=CN = Lando Development CA, C = US, ST = California, L = Oakland, O = Lando Development CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1583 bytes and written 404 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close
400 Bad Request---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: CA3AFA9E678969300D0B2AC584D4E253775C5950C40080E1B1242195FB79EECB
Session-ID-ctx:
Resumption PSK: 6441D92D75D8C34EDFE911C61AFF061826B1CB54A913A35289857500102F0FD5D6DC8FCC4AB7CE7374F64BC14D776592
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 06 60 36 df 86 45 a6 12-4a 24 cc be 45 ee 51 ff .`6..E..J$..E.Q.
0010 - c5 0e 8c 10 96 79 e1 82-f0 e0 4c 6b 5f 5e 37 04 .....y....Lk_^7.
0020 - ec 78 8e 37 2e 73 65 cd-a5 ef 38 2a d6 09 70 66 .x.7.se...8*..pf
0030 - d6 2a 19 d8 12 75 08 06-05 60 62 77 18 18 16 14 .*...u...`bw....
0040 - ed 8d b9 d8 44 7b 13 29-c8 08 d1 05 99 85 a6 1a ....D{.)........
0050 - d5 b1 cd 08 6c cb fb 70-7c 69 f5 1e 91 8b 0b 27 ....l..p|i.....'
0060 - c6 76 04 8f 13 54 4d ae-b2 fd cf 46 93 4b 22 59 .v...TM....F.K"Y
0070 - b7 61 dc 13 34 e6 69 0c-c0 9b 56 5b 77 35 e3 08 .a..4.i...V[w5..
0080 - 8d .
Start Time: 1728973011
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
Notice that HTTP/1.1 400 Bad Request
?
We found that adding this ENV var to the node service:
NODE_OPTIONS: --use-openssl-ca
Allows it to work again, so we are adding it. Maybe it's useful for other people if they start seeing this issue as well.
Another way to resolve this is to define the NODE_EXTRA_CA_CERTS
envvar and map it to LANDO_CA_CERT
value internally.
services:
node:
overrides:
environment:
NODE_EXTRA_CA_CERTS: /lando/certs/LandoCA.crt
Hello!
We maintain this starterkit for Drupal and next.js: https://github.com/wunderio/next-drupal-starterkit
And we have been using lando with it for a long time. After the latest update, our node service is not able to fetch from our Drupal service anymore using https. We get this error:
I saw in the list of commits that the latest release for core had some changes in the handling of certificates, and also the mac prompted for my password to do changes to the certificates settings when installing the update.
This is the lando file: https://github.com/wunderio/next-drupal-starterkit/blob/main/.lando.yml Node version is: v.20.11.0