Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error "invalid peer certificate: UnknownIssuer" on Deno but not on Node #20362

Open
DMeechan opened this issue Sep 2, 2023 · 6 comments
Open

Error "invalid peer certificate: UnknownIssuer" on Deno but not on Node #20362

DMeechan opened this issue Sep 2, 2023 · 6 comments

Comments

@DMeechan
Copy link

DMeechan commented Sep 2, 2023
edited
Loading

I get this error when connecting to a Supabase Postgres database using Postgres.js on Deno 1.36.3+c9223bc:

import postgres from "https://deno.land/x/[email protected]/mod.js"; // For Deno
// import postgres from "postgres"; // For Node

const sql = postgres(databaseUrl, { ssl: "require" });
await sql`SELECT 1`;


// Result:
error: Uncaught (in promise) InvalidData: invalid peer certificate: UnknownIssuer
        while ((result = socket.readyState === 'open' && await raw.read(b))) {
                                                         ^
    at async TlsConn.read (ext:deno_net/01_net.js:107:15)

However, the code above works fine on Node.js v18.17.1
@DMeechan
Copy link
Author

DMeechan commented Sep 2, 2023

I was able to solve this error by setting DENO_CERT=./certs/supabase.crt env variable

However, is the error intentional? Or do we expect the code above to pass, like on Node?

@kahirokunn
Copy link

I encountered the same error message when I tried to use a client certificate.

nodejs/node#48977

const { Agent } = require('undici');

fetch(url, {
    dispatcher: new Agent({
        connect: {
            cert: cert,
            key: key,
            ca: ca
        }
    })
});

@alexcouper
Copy link

Encountered the same issue. I'm using DENO_CERT to run tests as a result.

@karl19
Copy link

karl19 commented Oct 10, 2024
edited
Loading

installing exit due to same issue

image

@LaurentChardin
Copy link

LaurentChardin commented Oct 21, 2024
edited
Loading

I have the same issue, and this is due to my company proxy, that is using zscaler which is replacing SSL certificates on the fly (you know.. firewalling, packet inspection, etc). Do we have an option to tell deno to trust the corporate certificate ?

Updated : ok i resolved it by downloading the install script, and adding DENO_CERT at the top to the chain PEM i extracted from the expected URL. Then i restarted the install script. And added DENO_CERT in my .zshrc file.

@ardabeyazoglu
Copy link

ardabeyazoglu commented Nov 9, 2024
edited
Loading

The issue is node and deno have different config options for specifying ca certificate. DENO_CERT also works but it is not always possible to change it, nor it is possible to specify multiple certificates on the fly with it (like customer specific certificates).

For nodejs tls.connect, ca: ["-----BEGIN CERTIFICATE-----\n..."] works. For deno tls, it must be caCerts: ["-----BEGIN CERTIFICATE-----\n..."]. Tested both with supabase and postgresjs now, both works.

It seems, ca and caCerts are not correctly mapped in node:tls. That would fix the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@karl19 @LaurentChardin @alexcouper @ardabeyazoglu @DMeechan @kahirokunn