search

nmarus / node-ews

A simple JSON wrapper for the Exchange Web Services (EWS) SOAP API.
MIT License
116 stars 52 forks source link

Error: unable to verify the first certificate #15

Closed facundoolano closed 8 years ago

facundoolano commented 8 years ago

I'm having trouble trying to migrate to the latest version of the module (my exchange host worked with the previous one, after patching the node soap module).

Before I was using the exchange host without protocol (i.e. email.facundo.com). If I do that with the new version, I get:

Error: connect ECONNREFUSED 127.0.0.1:80
    at Object.exports._errnoException (util.js:890:11)
    at exports._exceptionWithHostPort (util.js:913:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1061:14)

If I specify the protocol, either http or https, I get this error instead:

Error: unable to verify the first certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1065:38)
    at emitNone (events.js:80:13)
    at TLSSocket.emit (events.js:179:7)
    at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:593:8)
    at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:425:38)

I've also tried passing {strictSSL: false, rejectUnauthorized: false} but the result is the same.

facundoolano commented 8 years ago

Also, the certificate error has the following code: UNABLE_TO_VERIFY_LEAF_SIGNATURE.

facundoolano commented 8 years ago

It sounds as if the rejectUnauthorized option is being ignored by the module. After googling a bit, I found I can force it globally by doing process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; (which is obviously pretty ugly).

If I do that, the error changes to Unexpected root element of WSDL or include, as described in #12

nmarus commented 8 years ago

Is the EWS service using basic auth? or NTLM?

facundoolano commented 8 years ago

I thought it used NTLM, but I'm not sure how to check.

If I try to get the wsdl with the browser (/EWS/Services.wsdl) I need to input username and password as in basic auth, not sure if that means the service itself uses basic auth.

facundoolano commented 8 years ago

Just checked with another client, and the service is using NTLM.

BTW, the service worked mostly fine with the previous version of node-ews. I'm trying to migrate to drop the hacks required to avoid the error described in #1.

nmarus commented 8 years ago

A few more questions:

  1. What version of exchange?

  2. If you run with DEBUG=node-soap do you see the following? or other errors? 

    node-soap Reading file: /var/folders/kd/n1ltr7gn21qdl_wytn5ds0n40000gn/T/tmp-70597cBe2x3lbvTTx/services.wsdl +0ms
node-soap Reading file: /var/folders/kd/n1ltr7gn21qdl_wytn5ds0n40000gn/T/tmp-70597cBe2x3lbvTTx/messages.xsd +150ms
node-soap Reading file: /var/folders/kd/n1ltr7gn21qdl_wytn5ds0n40000gn/T/tmp-70597cBe2x3lbvTTx/types.xsd +101ms
  3. Can you send me a copy of the /EWS/Services.wsdl file? I want to make sure the format of what you are getting for the changes the package makes to this file in order to make it cokplaint with the Soap standard. (nmarus@gmail.com) There is no confidential/proprietary info in this file, it is generic to the version of Exchange you are running.
facundoolano commented 8 years ago
  1. I think it's 2010 (not 100% though).
  2. With the REJECT_UNAUTHORIZED patch on, I get Unexpected root element of WSDL or include and the following debug output:
node-soap Reading file: /var/folders/0z/98m08c09571942jrbvp1x0km0000gn/T/tmp-1347592nuhWqsccoJ/services.wsdl +0ms
node-soap Reading file: /var/folders/0z/98m08c09571942jrbvp1x0km0000gn/T/tmp-13475lalAUsV9JVTU/services.wsdl +4s

Without the patch, I get Error: unable to verify the first certificate and no debug output at all.

  1. Here's the wsdl: https://gist.github.com/facundoolano/62738c8d091ca9c59faa595128412a59
ervinfetic commented 8 years ago

I have encountered a same issue. First I've added below line in source code: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; This has solved issue that I had with ssl connection and certificate. Regarding "Unexpected root element of WSDL or include" error I was getting it each time when I tried to make a request with wrong Exchange credentials.

Notice: I was trying requests using NTLM auth.

nmarus commented 8 years ago

From what I have been testing so far, this...

Error: unable to verify the first certificate

...seems to happen when using basic auth. This module assumes NTLM. I am working on making the soap auth module a selectable parameter as part of the next patch.

nmarus commented 8 years ago

Please try the 2.2.0-dev branch. This includes the ability to specify basic auth. I have not been able to test it fully, as I currently do not have access to a EWS API that is using basic auth. I'm working on that and should be able to do further testing in the next week or so.

facundoolano commented 8 years ago

@nmarus sorry for the delayed response. I haven't had the time to try the dev branch yet (hope to do it in the next few days).

One thing I wonder, though, is why do you think this has to do with the service using basic auth? The very same EWS instance was working OK with the 1.x version of the module, and I understand that version also supported NTML only.

besla commented 8 years ago

I get exactly same error. "unable to verify the first certificate" But when I use patch then I get "NTLM StatusCode 401: Unauthorized."

nmarus commented 8 years ago

Features for Basic Auth is now in version v3.0.0 as well as a notes in README around the 401 error when using NTLM as solved in #26