0

I'm fighting with Axios and some destination server which presents a certificate issued by AddTrust External CA which expired last year in may. Running openssl s_client will print me the following chain:

CONNECTED(00000005)
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
---
Certificate chain
 0 s:/CN=<ACTUAL-CERTIFICATE-CN>
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
[...]

I removed the expired CA from my truststore and added

  • Sectigo RSA Domain Validation Secure Server CA and
  • USERTrust RSA Certification Authority

but I'm still ending up with UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

Other connections to trusted destinations are working fine with mTLS.

As I don't want to end up using rejectUnauthorized = false, is there any way to make this work properly?

My SSL configuration was done like this:

https.globalAgent.options.ca = fs.readFileSync('ca.crt')
https.globalAgent.options.cert = fs.readFileSync('public.crt')
https.globalAgent.options.key = fs.readFileSync('private.pem')

Any help is appreciated.

tpschmidt
  • 2,479
  • 2
  • 17
  • 30
  • Have you ever tried this by referring to this article?[how-to-configure-axios-ssl](https://stackoverflow.com/questions/51363855/how-to-configure-axios-to-use-ssl-certificate) – myeongkil kim Jan 07 '21 at 16:39
  • Yes that's what I have done :-) my other connections are working, I think the issue here is the expired CA. – tpschmidt Jan 07 '21 at 16:45

0 Answers0