1

I'm using the following code:

http2.connect('https://api.sandbox.push.apple.com, {
    key: apnCertDev,
    cert: apnCertDev,  // <- this certificate causes the problem
    passphrase: "password",
});

With NodeJS version < 10 it works fine, but in later versions I get this:

Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

Apparently this is because the certificate is using SHA1, which the newer versions of OpenSSL (available in NodeJS > 10) consider insecure. This certificate however is generated by Apple and I have no control over it.

Is there any other way to fix this, besides downgrading NodeJS?

Thanks!

LachoTomov
  • 3,312
  • 30
  • 42
  • 1
    Does this answer your question? [nodejs - error self signed certificate in certificate chain](https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-chain) This should get rid of all SSL errors in node. But be sure not to apply this in a production environment ... – derpirscher Sep 16 '20 at 16:50
  • 1
    (sorry, misread - it's the trusted GeoTrust Global root CA that has the SHA-1 certificate, not the certificate returned from the server) – Rup Sep 16 '20 at 16:55
  • @derpirscher no, I still get the error. – LachoTomov Sep 16 '20 at 16:56
  • *"This certificate however is generated by Apple and I have no control over it."* - what kind of certificate should this be and how it was created and when? I doubt that Apple still creates TLS client certificates with a weak signature algorithm. – Steffen Ullrich Sep 16 '20 at 17:26
  • @SteffenUllrich it's the certificate used for sending Apple Push Notifications (APN). It gets created and downloaded at developer.apple.com . I just created a new one, but it's still using SHA1 2048 bits. – LachoTomov Sep 16 '20 at 17:35
  • 1
    I'm quite baffled apple would issue such weak certificates ... If nothing else helps, you could switch to token authentication. Which has also the advantage, that the private key does not expire, ie you don't have to regenerate your certificates once a year. – derpirscher Sep 16 '20 at 20:29
  • @derpirscher yeah I was thinking about this, but couldn't figure out from the documentation if either of the approaches is the recommended one... Do you know if there are any drawbacks to using token auth? – LachoTomov Sep 16 '20 at 20:37
  • I'm not sure if it's officialy recommended somewhere, but have a look at this question https://stackoverflow.com/q/45081506/3776927 – derpirscher Sep 16 '20 at 20:46
  • @derpirscher great, token seems to be the way to go, thanks! If you want post it as an answer and I'll accept it. – LachoTomov Sep 16 '20 at 20:51
  • Well, technically it's not really an answer to the question ... :) – derpirscher Sep 16 '20 at 20:53
  • @derpirscher yeah I know... :) but I'm almost sure there isn't a "proper" way to solve the problem in the question - it's either downgrade or beg Apple to upgrade the certificates... So I'm willing to accept other solutions :) I'll be moving to the token approach as even the renewal argument alone will be enough for me. Anyways thanks for the help! – LachoTomov Sep 16 '20 at 20:57

0 Answers0