1

Long story/short: I'm on an internal network, with a REST service we created that runs on a server with some sort of self-signed certificate. I'm writing code for the front end of the application on another server.

I hit this with my javascript typeahead function. The REST call that answers the typehead is failing with a security warning SEC_ERROR_UNKNOWN_ISSUER. I understand why, it's because the client can't find the cert in its root store.

Other than to get the REST server to install a corporate/verified certificate is there any other way around this? Is there some way to get my Javascript application to say "hey I don't care if whatever I'm talking to is unknown" (?)

Before anyone yells at me, this is all on a hardened internal network with zero access to or from the big bad internet. Thanks...

C C
  • 419
  • 1
  • 4
  • 18
  • [You could add the self-signed certs to your browser](http://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate). – kennytm Feb 21 '17 at 13:38
  • Right, but every user of my application will have to do that. It seems a little awkward. – C C Feb 21 '17 at 13:39
  • Do you control all systems in that internal network? Maybe you could try http://serverfault.com/questions/12323/how-do-i-deploy-an-internal-certificate-authority (perhaps you should specify the front end platform). – kennytm Feb 21 '17 at 13:44
  • Thanks...I'm using jQuery/AJAX so I think I need to go down a path of setting `rejectUnauthorized: false` (if possible), in the AJAX call...I'm looking into it now... – C C Feb 21 '17 at 13:45
  • No I mean what is the target browser (Chrome / Firefox / Edge / Safari / ??) and OS (Win10 / Win7 / macOS / Ubuntu / ??) – kennytm Feb 21 '17 at 13:48
  • Yes, all of those ;-) – C C Feb 21 '17 at 13:48

1 Answers1

0

alright...I think I'm finding out the answer is 'no way, no how'. In the AJAX call diagnostics, it clearly shows the header Access-Control-Request-Headers as set to "rejectunauthorized" - and from what I'm reading there is no way for an application to override that, due to basic security precepts.

C C
  • 419
  • 1
  • 4
  • 18