search

vshymanskyy / blynk-library-js

Blynk library for JS. Works with Browsers, Node.js, Espruino.
https://blynk.io/
MIT License
215 stars 67 forks source link

'SSL not authorized' when using Let's Encrypt #45

Open guymcswain opened 6 years ago

guymcswain commented 6 years ago

In blynk-nodejs, SslClient() the default options.certs_path points to server.crt in library and therefore options.ca maps to server.crt used for blynk-cloud.com. To enable SSL authorization via Mozilla CA, the options.ca must be null. I've tried options.certs_path pointing to a empty server.crt file but this returns options.ca === [ <Buffer > ], an empty buffer which evaluates to 'true'.

I have temporarily hard coded opts.ca = null to prevent overriding the Let's Encrypt authorization.

guymcswain commented 6 years ago

A bit more description of the problem along with a work-around:

Connect to blynk-cloud.com server:

const Auth = myAuthCodeString;
var options = {};  // no options needed to get default cert_path and server.crt
var blynk = new Blynk.Blynk(Auth, options);

In blynk-cloud.com case, blynk-nodejs.js module's internal variables are as follows:

self.ca:  [ '/path/to/blynk-library-js/certs/server.crt' ]
opts:  {
  "host": "blynk-cloud.com",
  "port": 8441,
  "servername": "blynk-cloud.com",
  "rejectUnauthorized": false,
  "family": 4,
  "ca": [
    {
      "type": "Buffer",
      "data": [
        45,
        45,
        …, // remaining cert bytes
        45,
        10
      ]
    }
  ]

Because the Blynk object calls tls.connect(opts, function() {…}, the opts.ca variable overrides the trusted CA certificates. (Incidentally, using self signed certificate for blynk-cloud.com seems less secure than it ought to be but that's another discussion.)

So, in the case of a blynk server running in your own domain using Let's Encrypt certificates there is no way to force Blynk object to call tls.connect() with opts.ca === null. In other words, there is no way to override the default CA override!

I have forked the library and have a workaround that modifies blynk-nodejs.js module as follows:

if (self.ca)   {
       if (Buffer.isBuffer(options.ca)) {
         opts.ca = options.ca;
       } else {
         opts.ca = self.ca.map(function(item){ 
          return fs.readFileSync(item); 
        }); 
+       if (opts.ca[0].toString() === '') opts.ca = null;   // added this line
      } 
    }

To use the workaround you have to set options.certs_path = '/path/to/null/server.crt/file' and place an empty file named 'server.crt' at that location. It's not pretty but it works.

pY4x3g commented 5 years ago

Why is this issue not addressed in over a year? I have my own server and want to use SSL with lets encrypt certificates...

QuadeHale commented 4 years ago

I am having this same issue, and I finally came across this. Thank you so much @guymcswain for the fix. The app was able to connect, non-SSL was able to connect, everything else works just fine. The only thing that would not work was SSL from an RPi with this library.

That one line, along with adding the certs_path key (to /home/pi in my case) and "touch ~/server.crt" worked instantly. This should be fixed by now - it's been almost 18 months, and it's been difficult to find the answer to this problem.

For potential finding by google scrapers: SSL not authorized when using Let's Encrypt on Blynk local server with blynk-library.js for nodejs