0

I have created a new azure storage account. Inside which i have a blob container, the access type of which is set to 'private'. Following is my nodejs code through which i try to create a container.

var azure = require('azure-storage');              
            var accountName = "xxxxxxxxxx";
            var accessKey = "veryLongAccessKey";
            var host = "https://abc.blob.core.windows.net";
            var blobSvc = azure.createBlobService(accountName, accessKey, host);

            blobSvc.createContainerIfNotExists('myblobContainer', function(error, result, response) {
                console.log("error");
                console.log(error);
                console.log("result");
                console.log(result);
                console.log("response");
                console.log(response);
            });

When i execute this code i get following error.

{ Error: unable to verify the first certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1062:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:586:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

Azure storage account properties

what am I missing?

Community
  • 1
  • 1
MARKAND Bhatt
  • 2,428
  • 10
  • 47
  • 80
  • 1
    I tried your code with one of my storage accounts but unable to reproduce the error. Can you share some more details? Like what version of Node SDK are you using? Is there a proxy/firewall in picture? Did you customize your node setting? – Gaurav Mantri Dec 11 '16 at 12:56
  • node 6.9.1. There is no firewall. I did nothing special node setting. Did the above code create a blob container? – MARKAND Bhatt Dec 11 '16 at 16:12
  • The problem was httpS in the hostname. I put http. – MARKAND Bhatt Dec 12 '16 at 16:01
  • 2
    If you use http, the response can be intercepted by any third-party in the middle. I strongly urge you to fix the certificate problem, and use HTTPS. – juunas Dec 13 '16 at 10:57

2 Answers2

2
openssl s_client -connect {StorageAccount}.blob.core.windows.net:443 \
                 -servername {StorageAccount}.blob.core.windows.net

says:

Certificate chain

 0 s:/CN=*.blob.core.windows.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation
     /OU=Microsoft IT/CN=Microsoft IT SSL SHA2

 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation
     /OU=Microsoft IT/CN=Microsoft IT SSL SHA2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

You're probably missing the Baltimore Root CA.

Probable causes:

  • The certificate is missing from your Node's CA bundle and chain verify fails. Not familiar with how Node handles its CA bundle, but it's worth doing the research

  • There's something nosing into your TLS (Fiddler or some other man-in-the-middle TLS inspector)

A workaround using ssl-root-cas can be found here (if you're unable to track the root cause).

Community
  • 1
  • 1
evilSnobu
  • 24,582
  • 8
  • 41
  • 71
0

I got some issue around SSL verification when trying to connect to Azure Storage blob from my company's network (fire-walled and proxied) and tried turning off the SSL verification and it worked.

const myRequest = require('request').defaults({strictSSL: false})

Don't forget to re-enable this again at the end. While this works temporarily, it is a workaround/dirty fix and not a solution.

Madaditya
  • 143
  • 2
  • 10