RequestError: unable to verify the first certificate

[LRSFC-DanJ]

dcli Version: 1.0.0 Windows
OS version: Windows 10 Enterprise 21H2

When trying to log in using dcli-win.exe sync I am receiving an error as follows after entering my email address:

RequestError: unable to verify the first certificate
    at ClientRequest.<anonymous> (C:\snapshot\dashlane-cli\node_modules\got\dist\source\core\index.js:970:111)
    at Object.onceWrapper (node:events:642:26)
    at ClientRequest.emit (node:events:539:35)
    at ClientRequest.<anonymous> (C:\snapshot\dashlane-cli\node_modules\@szmarczak\http-timer\dist\source\index.js:43:20)
    at TLSSocket.socketErrorListener (node:_http_client:454:9)
    at TLSSocket.emit (node:events:527:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1532:34)
    at TLSSocket.emit (node:events:527:28)
    at TLSSocket._finishInit (node:_tls_wrap:946:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:727:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  timings: {
    start: 1673609161941,
    socket: 1673609161942,
    lookup: 1673609161948,
    connect: 1673609161957,
    secureConnect: undefined,
    upload: undefined,
    response: undefined,
    end: undefined,
    error: 1673609161967,
    abort: undefined,
    phases: {
      wait: 1,
      dns: 6,
      tcp: 9,
      tls: undefined,
      request: undefined,
      firstByte: undefined,
      download: undefined,
      total: 26
    }
  }
}

While it is the case that I am running this in a corporate environment with a firewall that does HTTPS inspection, the appropriate CA certificate is installed in the computer's Trusted Root Certificates store, so the server certificate should be able to be verified.

The Dashlane web app and browser extension do not experience any issues.

[Mikescops]

Hello,

As I understand your problem, your company is using a self-signed certificate for your HTTPS connection.
If that's the case, indeed it can cause such issue because we're using NodeJS.
In NodeJS the list of certificate authorities is done in a weird way, it's basically hardcoded, read more here: nodejs/node#4175

It seems so far that there are no programmatic way of adding custom certs and nodejs is not picking custom certs from the OS store. But there is an environment variable to add custom certs: https://nodejs.org/docs/latest-v16.x/api/cli.html#node_extra_ca_certsfile

NODE_EXTRA_CA_CERTS=/<...>/.ssl/extra_certs.pem

Unfortunately I'm not working in an environment with such self-signed cert so I'll let you test this solution and let me know if that works.

That said, I found a package (https://www.npmjs.com/package/win-ca) that could be interesting for getting the custom certificates on Windows. I'll have to explore this a bit more and assess if it meets our security requirements before implementing it.

[LRSFC-DanJ]

But there is an environment variable to add custom certs: https://nodejs.org/docs/latest-v16.x/api/cli.html#node_extra_ca_certsfile

NODE_EXTRA_CA_CERTS=/<...>/.ssl/extra_certs.pem

Unfortunately I'm not working in an environment with such self-signed cert so I'll let you test this solution and let me know if that works.

Setting this environment variable up to point to a file containing the firewall's CA certificate allows me to successfully complete a dcli-win.exe sync session.

A hardcoded certificate store seems like it might be problematic as it won't allow for situations such as CA certificates which are revoked or new ones that get added (e.g. Let's Encrypt). If you're able to verify against certificates in the OS certificate store this would be better as these are typically updated on a regular basis, and for enterprise use the OS certificate store will usually also contain any custom CA certificates that may be needed.

[Mikescops]

Great that it solves the issue, it's clearly not ideal but it's something at least.

Root certificates don't change that often (see the updates in https://github.com/nodejs/node/blob/main/src/node_root_certs.h) and I believe most providers will think of updating it there unless they want to break a lot of customers apps.

I'll have a deeper look at how other apps handle this issue and I'll try to come up with a long term solution.

[Mikescops]

I just figured out that there is an option to use the OpenSSL default CA's store instead of the Node.js one, as per https://nodejs.org/api/cli.html#--use-bundled-ca---use-openssl-ca (I believe this doesn't solve the issue on Windows as they use their own cert store)

One solution could be to export this variable NODE_OPTIONS=--use-openssl-ca.

The previous method we talked about is also documented in our website now: https://dashlane.github.io/dashlane-cli/troubleshooting#requesterror-unable-to-verify-the-first-certificate

I'm considering this issue closed as there is nothing we can integrate into the code of the CLI (I looked at the win-ca package and it's not an acceptable dependency) and the solution seems acceptable to me, please re-open if there is additional problems.