2

I'm using Axios to post to a remote API. Although it has worked great for several years, the requests have suddenly started throwing an error "certificate has expired' - despite the fact that the certificate has not expired. The API's domain has a working Let's Encrypt cert which isn't up for its next auto-renewal for another 2 months. In addition, if I run the exact same code on a different OS, it works (I'm on Linux; if I reboot the same dual-boot machine to Windows, the same node script successfully completes all of its Axios calls).

Why might Axios have suddenly started reporting an expired certificate, when the certificate is not expired?

(Note: I'm aware that I can force Axios not to check the cert at all, but that is not the desired solution - I'd like to understand why it's failing and rectify it).

Yun
  • 3,056
  • 6
  • 9
  • 28
J23
  • 3,061
  • 6
  • 41
  • 52
  • Does DNS resolve to the same IP for both Linux and Windows? – msbit Oct 01 '21 at 05:10
  • Yup, same IP. I can also also visit the api in a web browser from both OSs, and it shows the valid cert from both. – J23 Oct 02 '21 at 05:18
  • Try this https://stackoverflow.com/questions/69414479/giving-axios-letsencrypts-new-root-certificate-on-old-version-of-node – borkson May 13 '22 at 08:57

2 Answers2

2

The DST root formerly used and by default still bridged by LetsEncrypt just expired.

(note edits 10/05)

nodejs should successfully connect to a server using a LetsEncrypt cert with the 'compatibility' chain (i.e. still using the bridge to DST, even though it's expired, for old Android) IF

  1. it has the ISRG root cert in its truststore aka root list. By default nodejs uses a compiled-in root list and v8.0.0 up contains the ISRG root. However application code like axios can replace or extend the compiled-in list, in which case it's the version/contents used by the application that matter.

  2. AND nodejs uses OpenSSL 1.1.0 up (my previous belief that 1.1.1 was needed proved wrong on more thorough testing) OR the DST root is removed from the truststore (you can't remove it from the compiled-in list, but if you use a replacement list, you can omit/remove it from that).

    On Linux, at least a Linux distro with a package manager, nodejs is probably built to use the system-supplied OpenSSL; check what the package manager shows for dependencies, or whether ldd $(which node) lists some version of libssl and libcrypto (noting that different systems/packagers sometimes use version numbers for these library files that are related to, but NOT the same as, the OpenSSL version they contain!).

    On Windows, OpenSSL is usually not installed, and when it is, not necessarily in a fixed place, so nodejs is normally built to use its own (static-linked) OpenSSL. In this case the version of nodejs must be new enough, and I don't know what the mapping is, but it appears yours is sufficient.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Also see: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ – Matt Caswell Oct 01 '21 at 08:50
  • Thanks, I probably never would've found that on my own! The ldd command does not list either libssl or libcrypto, so I assume that means node is using its own bundled openssl, not the system version (which is 1.1.1). Note that the node application is actually being run with node 8.17.0 via npm "n" package (and unfortunately cannot be run with any newer version of node, due to a dependency that's been abandoned, & would be an immense undertaking to replace). So I guess my search continues, and I either need to figure out if it's possible to make Node just use the system version of openssl... – J23 Oct 02 '21 at 05:48
  • ...or figure out how to make Axios "override or extend the builtin list with one that includes ISRG"... – J23 Oct 02 '21 at 05:50
  • I s'pose this answers the question, so I'll accept it & write a more specific, Axios-targeted one for how to give it the appropriate cert. Thanks again for the pointers! – J23 Oct 02 '21 at 05:57
  • 1
    Hopefully this will lead me to a solution :) https://stackoverflow.com/questions/69414479/giving-axios-letsencrypts-new-root-certificate-on-old-version-of-node – J23 Oct 02 '21 at 06:15
1

Problem for me was I was using an old Node version by accident, switching to the latest released version fixed the issue.

gvdp
  • 86
  • 3