search

medic / cht-user-management

GNU Affero General Public License v3.0
3 stars 1 forks source link

Login Fails For Local CHT Instances With Invalid TLS Certificate #107

Open alexosugo opened 3 months ago

alexosugo commented 3 months ago

CHT instances installed via Docker have may have an optional TLS certificate installed to bypass the 'Your connection is not private' error that shows on the browser when you try to access it. When the CHT management tool is ran with the following env variables:

COOKIE_PRIVATE_KEY={your-cookie}
CONFIG_NAME=chis-ke
PORT=3555             
EXTERNAL_PORT=3555    # for docker
INTERFACE=127.0.0.1   
CHT_DEV_URL_PORT={your-local-ip}.local-ip.medicmobile.org 
CHT_DEV_HTTP=false

login fails with an invalid certificate error. See log below:

AxiosError: Hostname/IP does not match certificate's altnames: Host: 192.168.100.2.local-ip.medicmobile.org. is not in the cert's altnames: DNS:*.local-ip.medicmobile.org
    at Function.AxiosError.from (/Users/kombo/Medic/cht-user-management/node_modules/axios/dist/node/axios.cjs:837:14)
    at RedirectableRequest.handleRequestError (/Users/kombo/Medic/cht-user-management/node_modules/axios/dist/node/axios.cjs:3090:25)
    at RedirectableRequest.emit (node:events:513:28)
    at ClientRequest.eventHandlers.<computed> (/Users/kombo/Medic/cht-user-management/node_modules/follow-redirects/index.js:37:24)
    at ClientRequest.emit (node:events:513:28)
    at TLSSocket.socketErrorListener (node:_http_client:494:9)
    at TLSSocket.emit (node:events:513:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21) {
  code: 'ERR_TLS_CERT_ALTNAME_INVALID',
  cert: {
    subject: [Object: null prototype] { CN: '*.local-ip.medicmobile.org' },
    issuer: [Object: null prototype] { C: 'US', O: "Let's Encrypt", CN: 'R3' },
    subjectaltname: 'DNS:*.local-ip.medicmobile.org',
    infoAccess: [Object: null prototype] {
      'OCSP - URI': [Array],
      'CA Issuers - URI': [Array]
    },
derickl commented 3 months ago

You can try ignoring TLS certificate validation.

e.g. export NODE_TLS_REJECT_UNAUTHORIZED=0 before launching the user management tool?

alexosugo commented 3 months ago

Thanks @derickl. That and adding it appending it to the .env files work. I expect that some people have experienced a similar issue so this should help.

derickl commented 3 months ago

You probably don't need to do both. Does adding it to the env file (without exporting) work?

alexosugo commented 3 months ago

@derickl Not both. Either works. Even without exporting.