Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

browserType.connect: unable to verify the first certificate #383

Open
MohamedBenighil opened this issue Jun 1, 2023 · 7 comments
Open

Comments

@MohamedBenighil
Copy link

MohamedBenighil commented Jun 1, 2023

hello,

Part1 : Moon

i deployed moon2 helm chart on my kubenetes cluster and https access, where i used Nginx Ingress Controller. The GUI of moon2 is accessible.

I managed the tls certificates at Inginx Ingress Controller level, i.e: i used --default-ssl-certificate=default/cert-secret

The helm values.yml i used looks like (just the part i am interested in ):

customIngress:
  enabled: true
  ingressClassName: nginx
  host: efr-moon-p.aks-qa-fr.mydomain.net

Part2: Test

i used the following program to make a simple test

'use strict';

function wait(ms){
    var start = new Date().getTime();
    var end = start;
    while(end < start + ms) {
      end = new Date().getTime();
   }
 }


const { firefox } = require('playwright');


const host = 'efr-moon-p.aks-qa-fr.mydomain.net';




(async () => {

    const browser = await firefox.connect({ timeout: 0, wsEndpoint: `wss://${host}/playwright/firefox/playwright-1.19.2?headless=false&enableVideo=true&videoName=mytestvideo.mp4` });
    const page = await browser.newPage();
    await page.goto('https://aerokube.com/moon/');

    //wait(30000);

    await page.screenshot({ path: `screenshot.png` });
    await browser.close();
})();

But i got the follwoing error :

> [email protected] test
> node index.js

node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

browserType.connect: unable to verify the first certificate
    at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:20:35
    at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
  name: 'Error'
}

Node.js v18.16.0

Any help please ?

@vania-pooh
Copy link
Member

@MohamedBenighil you need to make sure that CA certificate used to issue Moon TLS certificate is trusted in node.js settings. https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs

@MohamedBenighil
Copy link
Author

MohamedBenighil commented Jun 1, 2023

@vania-pooh please notice i have just tls.crt & tls.key on my secret file ( --default-ssl-certificate=default/cert-secret ). And I DON'T have CA certificate.

apiVersion: v1
data:
  tls.crt: QmF......K               <== HERE
  tls.key: LS0tLS.....S0tLS0tCg==   <== AND HERE (tls.crt & tls.key are all i have )
kind: Secret
metadata:
  creationTimestamp: "2023-05-15T13:33:13Z"
  name: cert-secret
  namespace: default
  resourceVersion: "25502736"
  uid: 10295bd4-a764-4407-a204-d8caae8129df
type: kubernetes.io/tls

@vania-pooh
Copy link
Member

@MohamedBenighil usually certification authority is provided by organization or person who actually generated these two files. E.g. this could be CA certificates of let's encrypt or another TLS certification provider.

@MohamedBenighil
Copy link
Author

MohamedBenighil commented Jun 5, 2023

@vania-pooh I used NODE_EXTRA_CA_CERTS=ca/ca-pfx.pem npm test and the error was changed.

Now, i got :

> [email protected] test
> node index.js

node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

browserType.connect: unable to get issuer certificate
    at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:22:35
    at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
  name: 'Error'
}

Node.js v18.16.0

any help please ?
PS: Moon is running on AKS

@vania-pooh
Copy link
Member

@MohamedBenighil this is still related to TLS CA config of NPM. Probably you are providing an intermediary CA and not root CA.

@MohamedBenighil
Copy link
Author

MohamedBenighil commented Jun 5, 2023

@vania-pooh how can i get root CA ?

I created tls.key and tls.crt using the following commands :

# private key
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -nocerts -out key-file.key

#decrypt
openssl rsa -in key-file.key -out tls.key

# get crt
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -clcerts -nokeys -out tls.crt

# create kubernetes secret
kubectl create secret tls cert-secret --cert tls.crt --key tls.key # <==The secret is used at Nginx Ingress Controller as i said before  

Notice my input entry is : aks-qa-fr.COMPANY.net_2022.pfx
I would like to know what i am messing please ?

@vania-pooh
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants