Skip to content

TLS Root CA not recognized when the file contains two CAs #4096

New issue
New issue
Closed
Closed
TLS Root CA not recognized when the file contains two CAs#4096
Labels
tlsIssues and PRs related to the tls subsystem.
@catamphetamine

Description

@catamphetamine
catamphetamine
opened on Dec 1, 2015

Yandex LLC (Yandex.Money) has a CA:

subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Issuing CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJSVTEY
MBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkg
Um9vdCBDQTAeFw0xMzAxMTgxMzUyMTJaFw0xODAxMTcxMzUyMTJaMEkxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxIDAeBgNVBAMTF1lhbmRl
eCBNb25leSBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN
GJm1Clk6TQA0nd+FJMYaQLj58puo7dzaOSjkBex2FiQfD/DjJ3c+rBArKQO2xdEB
tnbYXsfPIx5UeqEIWAXeIV03aP5PFJgQvSCOUZc3NJ1peVc4pfIhjQ3vuULVpmUD
zLaSXkbquGCPGORnlIBcE9YFCfxWe5X/uIhkE5D8AQIDAQABo4IBODCCATQwHQYD
VR0OBBYEFOYs54hVacgsOj12YBbjVtpeMpLcMHYGA1UdIwRvMG2AFCUMTTkJAIhu
s3EnCL6nJyB6oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFu
ZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmy
njdSMAwGA1UdEwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMu
eWFtb25leS5ydS95bS5jcmwwCwYDVR0PBAQDAgEGMBAGCSsGAQQBgjcVAQQDAgEC
MCMGCSsGAQQBgjcVAgQWBBSef2laqr3b8E7GfhqWqtJanSJtrTAZBgkrBgEEAYI3
FAIEDB4KAFMAdQBiAEMAQTANBgkqhkiG9w0BAQUFAAOCAQEAjq8fKq/JMni/Yozn
x/JE3Q1jcYqxkew6maKCayyJAYTDbBEz6nQFOKCj0Il5Bk6RDyt2lOAkKYzumuZ7
YNF7VKf2aGoSLr7aC6ODaSdgI2snYhyOZv3625Y1L89evxQLK/wJdEd2Z0/IsUid
VOLg3Ms4eOD8etMc+lLNW7VW2v4IqPC9POak4yMGjed33ee6XU+QDI43snse+N58
qYQWXH4UK8T7yYPVgF5yXBE4HBNaGQ+qEJ61oC4QAbq3mgp8MoYB1J9yjnD5g1cT
q/104c9iRSYRmVtx0ifdJN2zDirwPLiRNzN6aNZNyI7VYeiabnW2wXf6u2/KwEpX
3Mce+g==
-----END CERTIFICATE-----

subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIJAJjDBQmynjdSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxHTAbBgNVBAMTFFlhbmRl
eCBNb25leSBSb290IENBMB4XDTEzMDExODEzNDIxNloXDTIzMDExNjEzNDIxNlow
RjELMAkGA1UEBhMCUlUxGDAWBgNVBAoTD1BTIFlhbmRleC5Nb25leTEdMBsGA1UE
AxMUWWFuZGV4IE1vbmV5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDDFBsDMxIC5BdNHQ+VxFjF3P6fVzDwF/4W6qCaXSc29PF5msWAqZoU
/irwqaY5Hnzp2/tShQVxac2Gel59r9fN1tiuR1fT1y709vYg2sj/4Bwc/n9HJ3NS
6f5FEEJu62PawhD1XUbbXDAvFeQA5vAHmxKggE2WGRkZZCcoGcaEipvlL2oAE4HV
jW+nSn8RQvkB8hXxMXZKeKNRzHCK52Icelc1Oip0f4jPetbtduXUowAIJdyWwP3y
JKwzjtsSsBic4BWzTA0fifQN3Vxy+YPfF8jw8xkBdgEPTmWbJ83G2Jc98mYEji9b
83YPAn1OgQXn0wYHTyfzO7EhTj7voP5zAgMBAAGjgeUwgeIwHQYDVR0OBBYEFCUM
TTkJAIhus3EnCL6nJyB6oy0QMHYGA1UdIwRvMG2AFCUMTTkJAIhus3EnCL6nJyB6
oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5
MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmynjdSMAwGA1Ud
EwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMueWFtb25leS5y
dS95bS5jcmwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAJcYTLHZgw
rsm1htBDq2YZxAqIN+dvQU9lY/tuQ/ggCL9JHkSyUbFtk8DsRWgYl9w0Y8f9HKYh
/nF6nYsfhSStIRMdyOMjfLGJp7esIqzyj0Sx88y8tnHSWs/Sls0lJIl4IS7YfHsZ
OZggRg/TGItwOtGcq6q7u19KreueVpfqAHwZygtwqf+Ic419TBpeOc6CuyFcwd2a
C4DhQKui58+sODqucGXkzSOeG97azuTFQ2Hnunv15+Jr/OwHQqKzieUf9+oBq5ZW
iQ3NHYUvgldVGW2fByvlgjG0tw6NrNwJEK0TEevgA8uNXE9FjaoqC/0+vsoQ4DMA
xsN5poPvsYTC
-----END CERTIFICATE-----

With this code it throws Error: SELF_SIGNED_CERT_IN_CHAIN

      const certFile = '/home/ops/yandex-kassa-tests/certs/yandex.cer'; // Certificate file
      const keyFile = '/home/ops/yandex-kassa-tests/certs/mieta.key';
      const caFile = '/home/ops/yandex-kassa-tests/certs/ym.pem';

      const options = {
        // url: url,
        headers: {'Content-Type': 'application/pkcs7-mime'},
        body: PKCSmsg,
        cert: fs.readFileSync(certFile),
        key: fs.readFileSync(keyFile),
        passphrase: 'XXXXXXXXX',
        ca: fs.readFileSync(caFile),
      }  

      // process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

      const result = request.postSync(url, options);
      return result.body;

However, when this CA is split into two separate parts and fed into options as an Array then it works:

options.ca = [
`subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Issuing CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJSVTEY
MBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkg
Um9vdCBDQTAeFw0xMzAxMTgxMzUyMTJaFw0xODAxMTcxMzUyMTJaMEkxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxIDAeBgNVBAMTF1lhbmRl
eCBNb25leSBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN
GJm1Clk6TQA0nd+FJMYaQLj58puo7dzaOSjkBex2FiQfD/DjJ3c+rBArKQO2xdEB
tnbYXsfPIx5UeqEIWAXeIV03aP5PFJgQvSCOUZc3NJ1peVc4pfIhjQ3vuULVpmUD
zLaSXkbquGCPGORnlIBcE9YFCfxWe5X/uIhkE5D8AQIDAQABo4IBODCCATQwHQYD
VR0OBBYEFOYs54hVacgsOj12YBbjVtpeMpLcMHYGA1UdIwRvMG2AFCUMTTkJAIhu
s3EnCL6nJyB6oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFu
ZGV4Lk1vbmV5MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmy
njdSMAwGA1UdEwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMu
eWFtb25leS5ydS95bS5jcmwwCwYDVR0PBAQDAgEGMBAGCSsGAQQBgjcVAQQDAgEC
MCMGCSsGAQQBgjcVAgQWBBSef2laqr3b8E7GfhqWqtJanSJtrTAZBgkrBgEEAYI3
FAIEDB4KAFMAdQBiAEMAQTANBgkqhkiG9w0BAQUFAAOCAQEAjq8fKq/JMni/Yozn
x/JE3Q1jcYqxkew6maKCayyJAYTDbBEz6nQFOKCj0Il5Bk6RDyt2lOAkKYzumuZ7
YNF7VKf2aGoSLr7aC6ODaSdgI2snYhyOZv3625Y1L89evxQLK/wJdEd2Z0/IsUid
VOLg3Ms4eOD8etMc+lLNW7VW2v4IqPC9POak4yMGjed33ee6XU+QDI43snse+N58
qYQWXH4UK8T7yYPVgF5yXBE4HBNaGQ+qEJ61oC4QAbq3mgp8MoYB1J9yjnD5g1cT
q/104c9iRSYRmVtx0ifdJN2zDirwPLiRNzN6aNZNyI7VYeiabnW2wXf6u2/KwEpX
3Mce+g==
-----END CERTIFICATE-----
`
,
`subject=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
issuer=/C=RU/O=PS Yandex.Money/CN=Yandex Money Root CA
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIJAJjDBQmynjdSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlJVMRgwFgYDVQQKEw9QUyBZYW5kZXguTW9uZXkxHTAbBgNVBAMTFFlhbmRl
eCBNb25leSBSb290IENBMB4XDTEzMDExODEzNDIxNloXDTIzMDExNjEzNDIxNlow
RjELMAkGA1UEBhMCUlUxGDAWBgNVBAoTD1BTIFlhbmRleC5Nb25leTEdMBsGA1UE
AxMUWWFuZGV4IE1vbmV5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDDFBsDMxIC5BdNHQ+VxFjF3P6fVzDwF/4W6qCaXSc29PF5msWAqZoU
/irwqaY5Hnzp2/tShQVxac2Gel59r9fN1tiuR1fT1y709vYg2sj/4Bwc/n9HJ3NS
6f5FEEJu62PawhD1XUbbXDAvFeQA5vAHmxKggE2WGRkZZCcoGcaEipvlL2oAE4HV
jW+nSn8RQvkB8hXxMXZKeKNRzHCK52Icelc1Oip0f4jPetbtduXUowAIJdyWwP3y
JKwzjtsSsBic4BWzTA0fifQN3Vxy+YPfF8jw8xkBdgEPTmWbJ83G2Jc98mYEji9b
83YPAn1OgQXn0wYHTyfzO7EhTj7voP5zAgMBAAGjgeUwgeIwHQYDVR0OBBYEFCUM
TTkJAIhus3EnCL6nJyB6oy0QMHYGA1UdIwRvMG2AFCUMTTkJAIhus3EnCL6nJyB6
oy0QoUqkSDBGMQswCQYDVQQGEwJSVTEYMBYGA1UEChMPUFMgWWFuZGV4Lk1vbmV5
MR0wGwYDVQQDExRZYW5kZXggTW9uZXkgUm9vdCBDQYIJAJjDBQmynjdSMAwGA1Ud
EwQFMAMBAf8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybHMueWFtb25leS5y
dS95bS5jcmwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAJcYTLHZgw
rsm1htBDq2YZxAqIN+dvQU9lY/tuQ/ggCL9JHkSyUbFtk8DsRWgYl9w0Y8f9HKYh
/nF6nYsfhSStIRMdyOMjfLGJp7esIqzyj0Sx88y8tnHSWs/Sls0lJIl4IS7YfHsZ
OZggRg/TGItwOtGcq6q7u19KreueVpfqAHwZygtwqf+Ic419TBpeOc6CuyFcwd2a
C4DhQKui58+sODqucGXkzSOeG97azuTFQ2Hnunv15+Jr/OwHQqKzieUf9+oBq5ZW
iQ3NHYUvgldVGW2fByvlgjG0tw6NrNwJEK0TEevgA8uNXE9FjaoqC/0+vsoQ4DMA
xsN5poPvsYTC
-----END CERTIFICATE-----
`]

Is this some advanced RFC feature Node.js doesn't support?

Metadata

Metadata

Assignees

No one assigned

    Labels

    tlsIssues and PRs related to the tls subsystem.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions