Azure Blob Storage : unable to verify the first certificate

Question

I have created a new azure storage account. Inside which i have a blob container, the access type of which is set to 'private'. Following is my nodejs code through which i try to create a container.

var azure = require('azure-storage');              
            var accountName = "xxxxxxxxxx";
            var accessKey = "veryLongAccessKey";
            var host = "https://abc.blob.core.windows.net";
            var blobSvc = azure.createBlobService(accountName, accessKey, host);

            blobSvc.createContainerIfNotExists('myblobContainer', function(error, result, response) {
                console.log("error");
                console.log(error);
                console.log("result");
                console.log(result);
                console.log("response");
                console.log(response);
            });

When i execute this code i get following error.

{ Error: unable to verify the first certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1062:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:586:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

what am I missing?

I tried your code with one of my storage accounts but unable to reproduce the error. Can you share some more details? Like what version of Node SDK are you using? Is there a proxy/firewall in picture? Did you customize your node setting? — Gaurav Mantri, Dec 11 '16 at 12:56
node 6.9.1. There is no firewall. I did nothing special node setting. Did the above code create a blob container? — MARKAND Bhatt, Dec 11 '16 at 16:12
If you use http, the response can be intercepted by any third-party in the middle. I strongly urge you to fix the certificate problem, and use HTTPS. — juunas, Dec 13 '16 at 10:57

score 2 · Answer 1 · edited May 23 '17 at 11:53

openssl s_client -connect {StorageAccount}.blob.core.windows.net:443 \
                 -servername {StorageAccount}.blob.core.windows.net

says:

Certificate chain

 0 s:/CN=*.blob.core.windows.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation
     /OU=Microsoft IT/CN=Microsoft IT SSL SHA2

 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation
     /OU=Microsoft IT/CN=Microsoft IT SSL SHA2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

You're probably missing the Baltimore Root CA.

Probable causes:

The certificate is missing from your Node's CA bundle and chain verify fails. Not familiar with how Node handles its CA bundle, but it's worth doing the research
There's something nosing into your TLS (Fiddler or some other man-in-the-middle TLS inspector)

A workaround using ssl-root-cas can be found here (if you're unable to track the root cause).

score 0 · Answer 2 · answered Apr 30 '20 at 17:13

I got some issue around SSL verification when trying to connect to Azure Storage blob from my company's network (fire-walled and proxied) and tried turning off the SSL verification and it worked.

const myRequest = require('request').defaults({strictSSL: false})

Don't forget to re-enable this again at the end. While this works temporarily, it is a workaround/dirty fix and not a solution.

Azure Blob Storage : unable to verify the first certificate

2 Answers2

Linked