LDAPS UNABLE_TO_VERIFY_LEAF_SIGNATURE

[kristjankullerkann]

Hello

Tried to configure LDAP connection over SSL/TLS with following configuration parameters:

• LDAP Port - 636
• LDAP URL - ldaps://

1. User isn't able to login.
2. No error message is shown to user.

From err-0.log:

    /opt/pm2/app/rocket.chat/bundle/programs/server/packages/meteor.js:974
    throw new Error("Meteor code must always run within a Fiber. " +          
          ^
Error: Meteor code must always run within a Fiber. Try wrapping callbacks that you pass to non-Meteor libraries with Meteor.bindEnvironment.
    at Object.Meteor._nodeCodeMustBeInFiber (packages/meteor/dynamics_nodejs.js:9:1)
    at [object Object]._.extend.get (packages/meteor/dynamics_nodejs.js:21:1)
    at Object.Meteor.isRestricted (packages/dispatch_run-as-user/packages/dispatch_run-as-user.js:137:1)
    at [object Object].Mongo.Collection.(anonymous function) [as update] (packages/dispatch_run-as-user/packages/dispatch_run-as-user.js:268:1)
    at Object.UserPresence.removeConnectionsByInstanceId (packages/konecty_user-presence/packages/konecty_user-presence.js:88:1)
    at process.<anonymous> (packages/konecty_user-presence/packages/konecty_user-presence.js:223:1)
    at process.emit (events.js:117:20)
    at process.exit (node.js:740:17)
    at process.catchException (/usr/local/lib/node_modules/pm2/node_modules/pmx/lib/notify.js:52:15)
    at process.g (events.js:180:16)
Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE
    at SecurePair.<anonymous> (tls.js:1381:32)
    at SecurePair.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:980:10)
    at CleartextStream.read [as _read] (tls.js:472:13)
    at CleartextStream.Readable.read (_stream_readable.js:341:10)
    at EncryptedStream.write [as _write] (tls.js:369:25)
    at doWrite (_stream_writable.js:226:10)
    at writeOrBuffer (_stream_writable.js:216:5)
    at EncryptedStream.Writable.write (_stream_writable.js:183:11)
    at write (_stream_readable.js:602:24)

I'm not an expert but I think the probem is that nodejs (?) isn't trusting ldaps server certificate as it is issued by untrusted CA (self-signed, in-house PKI etc).

http://stackoverflow.com/questions/25171613/ldap-bind-error-using-node-js-and-ldapjs
A quick and ugly workaround - an option to allow setting NODE_TLS_REJECT_UNAUTHORIZED to false? I personally think it's a bad idea.

A better solution would be to setup some kind of CA store as it's in java (looks like nodejs isn't implementing currently anything like this - it only has some built in trusted CA -s which are in nodejs source code).
Or perhaps it's possible to configure nodejs/application to trust operating system trust store?

And finally one more stackoverflow link :)
http://stackoverflow.com/questions/15254976/how-do-i-use-the-node-js-request-module-to-make-an-ssl-call-with-my-own-certific

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[geekgonecrazy]

I think there is a way in most operating systems to add CA's to be trusted. What OS?

We need to handle these errors regardless.

[kristjankullerkann]

Not sure but it looks like nodejs dosn't use OS trust store (already tried).
http://stackoverflow.com/questions/21004645/where-is-nodes-certificate-store

Linux (CentOS 7).

Perhaps functionality to add own certificate for ldapjs? Or a global trust store for Rocket.Chat (didn't quite get if this would also work with ldapjs as examples are for node https server).

[geekgonecrazy]

@litewhatever so looks like we might need to add the ability to add a trusted certificate then. Probably a good idea anyways

[emcguinness]

Mostly posting so I can find this thread again easier. Meteor does appear to handle CA's separately from the OS, I did have a look into this a while back when looking to get my rocket chat instance running on a self signed cert properly without having to enable the flag to allow all self signed/invalid certs. I did get it but was far too messy for anything to share.

[geekgonecrazy]

@emcguinness alright good to know. So we might want to add this ability. If you come across that info feel free to post back. Its always helpful to have info associated with the resolution of the issue in it.

[emcguinness]

Well i just went to find the bit of code I modified but seems one of the virtual disks for my VM has corrupted so can't get to it right now (not that it was much in the end). Still have some of the resource pages I found.

First for background it appears that old version of NPM that was the issue, see here

The best page I found was here - Starts off with how to generate the certs which helps knowing which bit is which when they get onto the implementation further down(evne included client certs. Really it just comes down to passing some options when making your ssl request. I was looking into the image previews for self signed certs so I added in the certifcate options here if I remember right.