8

Since yesterday 5:30 PM (Paris time), I get a UNABLE_TO_GET_ISSUER_CERT_LOCALLY when trying to list my accounts. I'm using the nodejs library, and it was working fine since several months.

The exact error from the client.getAccounts is :

{ Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1142:34)
    at TLSSocket.emit (events.js:188:13)
    at TLSSocket._finishInit (_tls_wrap.js:631:8) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }

Edit: I've just tried the same calls with the Python API, and it's working fine. So I feel like there is an issue currently with the Coinbase NodeJS API.

JULIEN RZEZNIK
  • 93
  • 1
  • 5
  • check this out: https://stackoverflow.com/questions/24372942/ssl-error-unable-to-get-local-issuer-certificate – Sandeep Patel Mar 18 '20 at 08:32
  • Thanks @SandeepPatel, but it sounds to me the issue is on coinbase side, who is managing the certificate ? – JULIEN RZEZNIK Mar 18 '20 at 09:01
  • As per my edit, I've switched to the Python library, and it's working fine. I believe there is an certificate issue on the nodejs library of Coinbase – JULIEN RZEZNIK Mar 18 '20 at 09:16
  • 1
    Im experiencing the same issue using the NodeJS Library. has anyone managed to resolve this? – user2249567 Mar 18 '20 at 11:46
  • @user2249567 This is an issue on Coinbase side ... so there is really nothing you can do until they fix the issue ... except switch language (Python API is working) – JULIEN RZEZNIK Mar 18 '20 at 12:30
  • Ive had a look at the certificates stored by both client libraries and i dont see any differences. – user2249567 Mar 18 '20 at 14:24
  • Unhelpfully it looks like the client libraries themselves are deprecated even though Coinbase classififes them as official libraries. I'll open a support ticket and see what they say – user2249567 Mar 18 '20 at 14:25

2 Answers2

17

According to Coinbase they updated their certificates at 10.30am PST yesterday. The node client has strictSSL set to true so requests will fail as the certificate chain fails.

Fix: when you initiate the client you can either set strictSSL to false or pass in the new valid certificates.

Set strictSSL to false:

var Client = require('coinbase').Client;
var client = new Client({
   apiKey: mykey, 
   apiSecret: mysecret,
   strictSSL: false
});

update cert files (you should be able to export them here - https://baltimore-cybertrust-root.chain-demos.digicert.com/ or try coinbase.com and export there):

var Client = require('coinbase').Client;
var client = new Client({
   apiKey: mykey, 
   apiSecret: mysecret,
   caFile: myNewCertFile
});

myNewCertFiles should follow this files format with the updated certs: https://github.com/coinbase/coinbase-node/blob/master/lib/CoinbaseCertStore.js

user2249567
  • 394
  • 4
  • 9
  • 1
    if i add new cert file its not accepting it problem remains the same . where can i get ssl cert file of coinbase. is this certificate is issued by coinabse?. – Leninkumar Apr 01 '20 at 11:11
  • What are the security risks (if any) associated with setting `strictSSL` to `false`? How do you "export" the new SSL certificates? – ma11hew28 Jun 29 '20 at 16:05
  • 2
    To update the certificate file, run from your project's root directory the command: `curl https://raw.githubusercontent.com/pajicf/coinbase-node/master/lib/CoinbaseCertStore.js > node_modules/coinbase/lib/CoinbaseCertStore.js`. That command replaces `node_modules/coinbase/lib/CoinbaseCertStore.js` with [this file](https://github.com/pajicf/coinbase-node/blob/master/lib/CoinbaseCertStore.js). You may then delete from that file the old certificates (all but the last one) and the unnecessary trailing commas. I don't know where [Filip Pajic](https://github.com/pajicf) got the new certificate from. – ma11hew28 Jun 29 '20 at 17:19
2

"What are the security risks (if any) associated with setting strictSSL to false? How do you "export" the new SSL certificates?"

The connection is encrypted, and TLS prevents tampering, BUT with strictSSL set to false it's theoretically possible to do a MITM (Man In The Middle) attack, since the SSL certificate is not fully checked to make sure it's authentic, some hoser (the man in the middle) could use a fake certificate. I'd switch it to get going, but get new certificates going as soon as possible.

tuomastik
  • 4,559
  • 5
  • 36
  • 48
hwertz
  • 143
  • 1
  • 6