Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hubot-zulip doesn't work with self signed SSL certs #6

Open
sabotrax opened this issue Oct 16, 2015 · 11 comments
Open

hubot-zulip doesn't work with self signed SSL certs #6

sabotrax opened this issue Oct 16, 2015 · 11 comments

Comments

@sabotrax
Copy link

I ran
HUBOT_ZULIP_SITE=https://zulip.example.com HUBOT_ZULIP_BOT=hubot-bot@example.com HUBOT_ZULIP_API_KEY=your_key bin/hubot -a zulip

with values corrected for my local installation and got:

Zulip API Error: unable to verify the first certificate
[Fri Oct 16 2015 14:19:28 GMT+0200 (CEST)] ERROR Error: unable to verify the first certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:929:36)
at TLSSocket.emit (events.js:104:17)
at TLSSocket._finishInit (_tls_wrap.js:460:8)
@timabbott
Copy link
Sponsor Member

I think probably the right solution to this problem is to just provide a documented path for passing into the integration the path to an SSL certificate it can use to verify communication with the server.

@heitorlessa
Copy link

Having the same issue here, however the certificate is valid from where I'm connecting from (cURL works, btw):

Zulip API Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

Any pointers?

I've tried to disable strict-ssl, rejectUnauthorized on Requests lib used by Zulip as well as disabling Node TLS check and it still provides me the same error message.

Other alternatives in case it works for anyone else: request/request#418

@rasathus
Copy link

Im getting something similar with the error ...

Error: DEPTH_ZERO_SELF_SIGNED_CERT
    at SecurePair.<anonymous> (tls.js:1370:32)
    at SecurePair.EventEmitter.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:982:10)
    at CleartextStream.read [as _read] (tls.js:469:13)
    at CleartextStream.Readable.read (_stream_readable.js:320:10)
    at EncryptedStream.write [as _write] (tls.js:366:25)
    at doWrite (_stream_writable.js:223:10)
    at writeOrBuffer (_stream_writable.js:213:5)
    at EncryptedStream.Writable.write (_stream_writable.js:180:11)
    at write (_stream_readable.js:583:24)

I did try a couple of the workarounds suggested in request/request#418, but to no avail.

@richardwlu
Copy link

I'm getting something a little different:

zulip@zulip:~/r2z2$ HUBOT_ZULIP_SITE=https://zulip.example.com HUBOT_ZULIP_BOT=zulip-bot@example.com HUBOT_ZULIP_API_KEY=key bin/hubot -a zulip
Zulip API Error: self signed certificate in certificate chain
[Tue Oct 27 2015 15:11:47 GMT-0500 (CDT)] ERROR Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket. (_tls_wrap.js:1000:38)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._finishInit (_tls_wrap.js:567:8)

Is there a way to provide a path to the SSL cert?

@timabbott
Copy link
Sponsor Member

the Hubot integration uses zulip-node, not the Python API: https://github.com/zulip/zulip-node

The Python API has an open PR to add support for specifying a certificate, but the Node API bindings do not. If someone wants to address this, I'd recommend working on the problem in zulip-node. I don't think there's a way to provide a path to the SSL cert right now but surely there's an easy way to pass a cert path into the Node HTTPS libraries (if fixing this requires switching to a different library, that's totally fine)...

@achinnic-akamai
Copy link

I believe I have a work around for this. It's not pretty, but it seems to be working.

The Zulip installation I'm working with has an SSL certificate that is signed, but doesn't return a full certificate chain back to the root, so request validation for HTTPS was failing. When I ran hubot with the zulip adapter, right away I started getting the initial "unable to verify the first certificate" errors.

After a little research, I found the NODE_TLS_REJECT_UNAUTHORIZED=0 setting and started using it. Then my error changed slightly to the one mentioned above: "Zulip API Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE"

Digging into the source a little (/[your_bot_root/node_modules/request/request.js, around line 639), there is a check to validate the secure connection:

  // XXX This is different on 0.10, because SSL is strict by default
  if (self.httpModule === https &&
      self.strictSSL &&
      !response.client.authorized) {
    debug('strict ssl error', self.uri.href)
    var sslErr = response.client.authorizationError
    self.emit('error', new Error('SSL Error: '+ sslErr))
    return 
  }

Setting "self.strictSSL = true" just before this code (or, presumably, removing the self.strictSSL check in the IF statement) disrupts the error and allows the connection to continue. Ta-daa: a working, connecting hubot.

Is there a way to feed this setting into hubot-zulip as a config variable and have it persist to node.js?

@WPTechnician
Copy link

I am running into the same issue richardwlu is running into. Has this been resolved or is there a good work around for it? I tried the work around mentioned by the previous post to no avail. Th ks!

@timabbott
Copy link
Sponsor Member

timabbott commented May 4, 2016
edited

The easiest solution is to just get a free real SSL cert from LetsEncrypt.

@WPTechnician
Copy link

That's the thing, I am no longer using a self-signed certificate. I replaced it in the nginx config, is there somewhere else that needs to be updated to recognize that I am no longer using a self-signed certificate? I apologize if this is documented somewhere, I haven't been able to find anything related to it other than this issue. Thanks!

Sent from my BlackBerry 10 smartphone on the TELUS network.
From: Tim Abbott
Sent: Tuesday, May 3, 2016 9:32 PM
To: zulip/hubot-zulip
Reply To: zulip/hubot-zulip
Cc: Robitaille, Cameron; Comment
Subject: Re: [zulip/hubot-zulip] hubot-zulip doesn't work with self signed SSL certs (#6)

The easiest solution is to get get a free real SSL cert from LetsEncrypt.


You are receiving this because you commented.
Reply to this email directly or view it on GitHubhttps://github.com//issues/6#issuecomment-216716995

@WPTechnician
Copy link

WPTechnician commented May 4, 2016
edited by timabbott

I followed the steps in the answer on this link and it resolved my certificate issues.

http://stackoverflow.com/questions/32248166/socket-io-unable-to-verify-the-first-certificate

Thanks!

@ssvenn
Copy link

ssvenn commented Mar 15, 2018

We ran into this issue and solved it by setting the NODE_EXTRA_CA_CERTS=/path/to/cert.pem environment variable before starting hubot. It seems that this mechanism didn't exist in nodejs when the issue was initially raised.

More info at https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@rasathus @timabbott @sabotrax @heitorlessa @ssvenn @richardwlu @achinnic-akamai @WPTechnician