Pastey, Let's Encrypt, & NodeJS builtin CAs

[xurizaemon]

Aw heck. So http://paste.example.org now 301s to https://paste.example.org where SSL is via a Let's Encrypt cert, and Node uses a hardcoded list of certificate authorities. TIL.

• Node uses an hardcoded list of certificate authorities nodejs/node#4175

I had a tutu with this to support an additional config option to pass in a CA for LE, but it was just going to add a bunch of code and make things more complicated ... and you'd need to do the same workaround for other Node apps anyway. So here's my fix:

sudo wget -O /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/lets-encrypt-x3-cross-signed.pem

You'll want the environment variable set appropriately ... I may not think this fix is sufficient if it means repeating the process on every server I use pastey on.

(Surely NodeJS isn't broken like this?!)

[xurizaemon]

Hmm, I think paste.example.org may have just used cert.pem not fullchain.pem, so I will ask the EXAMPLEORG sysadmins very nicely if they will have a look at that first.

[xurizaemon]

This was an issue with cert configuration on the server in question, and has been resolved. Yay!

[AdamMajer]

Node doesn't use hardcoded list of certs for a loooong time. Just FYI.

[xurizaemon]

Thanks! Yeah looks like I misled myself debugging, and it was actually cert chain issue if I recall.

Hecking exampleorg admins eh.