Error: unable to verify the first certificate. How to fix?

Soulrain

Hello all,

I have installed NodeBB v1.14.2 for testing purposes, following the official docs here and here.

The server has Ubuntu 18.04 and Apache. Now, everything seems to be working as expected. I can log in, create users and posts, add plugins etc. The only problem that I face is that NodeBB can't verify my Let's Encrypt certificate and so the emails (postfix) don't work.

The error I get is this:

2020-07-27T10:04:43.513Z [4567/18696] - error: Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12)

Can someone point me to the right direction for solving this? I would prefer not to use a third-party service, since that would mean I have to change postfix settings for every other website on the server.

Thank you in advance.

PitaJ

As that answer on SO says, the error unable to verify the first certificate means that the webserver you are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to you.

First, try sending an email with the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 set. That should work, confirming the rest of your setup is correct.

You may be able to fix this by changing your email server setup to provide a different certificate, one which embeds the full chain. (Probably fullchain.pem)

If you can't get that to work, you should try passing the intermediate certificate to Node as a CA. From that SO answer:

Save the remote server's certificate details:

openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com | tee logcertfile

We're looking for the issuer (the intermediate certificate is the issuer / signer of the server certificate):

openssl x509 -in logcertfile -noout -text | grep -i "issuer"

It should give you URI of the signing certificate. Download it:

curl --output intermediate.crt http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

Finally, convert it to .pem:

openssl x509 -inform DER -in intermediate.crt -out intermediate.pem -text

Then you want to pass the intermediate certificate by setting the environment variable

set NODE_EXTRA_CA_CERTS="intermediate.pem"

Then start NodeBB and try sending an email again.

PitaJ

Please share more details. How is postfix set up? How is NodeBB configured to interface with postfix? Have you tried changing any settings?

Soulrain

I will be away from my computer for many hours so I can't be specific.

I have postfix set up on port 587 with STARTTLS and it's working fine for two other websites on the same server, as well as for other things I'm testing. It's just NodeBB that has this problem.

On the email settings for NodeBB I just entered the email address for the sender and the name that should appear. Is there anything else that I should have done?

The certificate is from Let's Encryprt, it is valid until October thid year and NodeBB connects as https. Just when sending an email it doesn't confirm the certificate.

PitaJ

@Soulrain a screenshot of the email settings page would be useful. You should have had to set up a custom SMTP connection, where you have to specify the address of the server, the security mode, etc.

Soulrain

@PitaJ These are my settings but the error remains the same:

PitaJ

This is an issue with your certificate. That error means it does not embed the root certificate. This is okay for some clients but others (like Node) fail.

Try the following answer on SO: https://stackoverflow.com/a/60020493

Or other answers in that thread. Don't use any that instruct you to set the NODE_TLS_REJECT_UNAUTHORIZED flag unless you just want to check that it will work if you turn off TLS.

Soulrain

@PitaJ I don't understand what I'm supposed to do. I have cert.pem, chain.pem, fullchain.pem and privkey.pem. The last two are included in the configuration for the VirtualHost. Should I add cert.pem and chain.pem to NodeBB? If so, then how?

I'm really sorry but I'n not well-versed in Node.js.

PitaJ

As that answer on SO says, the error unable to verify the first certificate means that the webserver you are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to you.

First, try sending an email with the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 set. That should work, confirming the rest of your setup is correct.

You may be able to fix this by changing your email server setup to provide a different certificate, one which embeds the full chain. (Probably fullchain.pem)

If you can't get that to work, you should try passing the intermediate certificate to Node as a CA. From that SO answer:

Save the remote server's certificate details:

openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com | tee logcertfile

We're looking for the issuer (the intermediate certificate is the issuer / signer of the server certificate):

openssl x509 -in logcertfile -noout -text | grep -i "issuer"

It should give you URI of the signing certificate. Download it:

curl --output intermediate.crt http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

Finally, convert it to .pem:

openssl x509 -inform DER -in intermediate.crt -out intermediate.pem -text

Then you want to pass the intermediate certificate by setting the environment variable

set NODE_EXTRA_CA_CERTS="intermediate.pem"

Then start NodeBB and try sending an email again.

Soulrain

@PitaJ said in Error: unable to verify the first certificate. How to fix?:

You may be able to fix this by changing your email server setup to provide a different certificate, one which embeds the full chain. (Probably fullchain.pem)

Since postfix was working for every other site on the server, I never thought to try that. But I did and it worked! Thank you very much.