browserType.connect: unable to verify the first certificate
MohamedBenighil opened this issue · 7 comments
hello,
Part1 : Moon
i deployed moon2 helm chart on my kubenetes cluster and https access, where i used Nginx Ingress Controller. The GUI of moon2 is accessible.
I managed the tls certificates at Inginx Ingress Controller level, i.e: i used --default-ssl-certificate=default/cert-secret
The helm values.yml
i used looks like (just the part i am interested in ):
customIngress:
enabled: true
ingressClassName: nginx
host: efr-moon-p.aks-qa-fr.mydomain.net
Part2: Test
i used the following program to make a simple test
'use strict';
function wait(ms){
var start = new Date().getTime();
var end = start;
while(end < start + ms) {
end = new Date().getTime();
}
}
const { firefox } = require('playwright');
const host = 'efr-moon-p.aks-qa-fr.mydomain.net';
(async () => {
const browser = await firefox.connect({ timeout: 0, wsEndpoint: `wss://${host}/playwright/firefox/playwright-1.19.2?headless=false&enableVideo=true&videoName=mytestvideo.mp4` });
const page = await browser.newPage();
await page.goto('https://aerokube.com/moon/');
//wait(30000);
await page.screenshot({ path: `screenshot.png` });
await browser.close();
})();
But i got the follwoing error :
> moon-cloud-playwright-example@1.0.0 test
> node index.js
node:internal/process/promises:288
triggerUncaughtException(err, true /* fromPromise */);
^
browserType.connect: unable to verify the first certificate
at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:20:35
at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
name: 'Error'
}
Node.js v18.16.0
Any help please ?
@MohamedBenighil you need to make sure that CA certificate used to issue Moon TLS certificate is trusted in node.js settings. https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs
@vania-pooh please notice i have just tls.crt
& tls.key
on my secret file ( --default-ssl-certificate=default/cert-secret ). And I DON'T have CA certificate.
apiVersion: v1
data:
tls.crt: QmF......K <== HERE
tls.key: LS0tLS.....S0tLS0tCg== <== AND HERE (tls.crt & tls.key are all i have )
kind: Secret
metadata:
creationTimestamp: "2023-05-15T13:33:13Z"
name: cert-secret
namespace: default
resourceVersion: "25502736"
uid: 10295bd4-a764-4407-a204-d8caae8129df
type: kubernetes.io/tls
@MohamedBenighil usually certification authority is provided by organization or person who actually generated these two files. E.g. this could be CA certificates of let's encrypt or another TLS certification provider.
@vania-pooh I used NODE_EXTRA_CA_CERTS=ca/ca-pfx.pem npm test
and the error was changed.
Now, i got :
> moon-cloud-playwright-example@1.0.0 test
> node index.js
node:internal/process/promises:288
triggerUncaughtException(err, true /* fromPromise */);
^
browserType.connect: unable to get issuer certificate
at C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:22:35
at Object.<anonymous> (C:\Users\mbenighil\OneDrive - MYDOMAIN\Bureau\git\moon-cloud-playwright-example\index.js:28:3) {
name: 'Error'
}
Node.js v18.16.0
any help please ?
PS: Moon is running on AKS
@MohamedBenighil this is still related to TLS CA config of NPM. Probably you are providing an intermediary CA and not root CA.
@vania-pooh how can i get root CA ?
I created tls.key
and tls.crt
using the following commands :
# private key
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -nocerts -out key-file.key
#decrypt
openssl rsa -in key-file.key -out tls.key
# get crt
openssl pkcs12 -in aks-qa-fr.COMPANY.net_2022.pfx -clcerts -nokeys -out tls.crt
# create kubernetes secret
kubectl create secret tls cert-secret --cert tls.crt --key tls.key # <==The secret is used at Nginx Ingress Controller as i said before
Notice my input entry is : aks-qa-fr.COMPANY.net_2022.pfx
I would like to know what i am messing please ?
@MohamedBenighil something like this should work: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/