Pivotal Knowledge Base

Follow

Inviting users with Apps Manager failed, reason: self signed certificate in certificate chain

Environment

Pivotal Cloud Foundry: 1.9, 1.10

NodeJS: 1.5.x

Symptom

Inviting users with Apps Manager errors with "Unable to send one or more invitation emails"

Execute commands:

 cf login > admin > ORG=system > SPACE=system
 cf logs p-invitations --recent 

Error Message:

p-invitations gets following error (full stack trace in "Additional Information section"

2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT { FetchError: request to https://login.<system domain>/check_token failed, reason: self signed certificate in certificate chain
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at ClientRequest.<anonymous> (/home/vcap/app/node_modules/node-fetch/index.js:133:11)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at emitOne (events.js:96:13)

Cause  

This is an error emanating from the node-fetch dependency of the invitations service. The invitations service does not contain any skip_cert_verify logic and fails when reaching out to SMTP server.

default trust store location on Ubuntu and other Debian-based systems is /etc/ssl/certs, and /etc/ssl/certs/ca-certificates.crt has all the trusted CA certificates concatenated together into a single file. Node does not pick up that trust store by default though.

Engineering is working to solve this with a build pack upgrade in the future release of NodeJS.

Resolution

NodeJS build pack needs to be updated, and a running environment variable needs to be set such that node build pack and p-invitations pick up the proper certificate.

Perform the steps:

1. Go to Pivotal network and download latest NodeJS build pack release: https://network.pivotal.io/products/buildpacks#/releases/5721

2. Login to CF CLI as admin and select ORG > system, SPACE > system

3. Update NodeJS build pack using zip downloaded earlier

cf update-buildpack nodejs_buildpack -p nodejs_buildpack-cached-v1.5.36+1496673485.zip

4. Set the running environment variable NODE_EXTRA_CA_CERTS to /etc/ssl/certs/ca-certificates.crt

cf srevg '{"NODE_EXTRA_CA_CERTS":"/etc/ssl/certs/ca-certificates.crt"}'

5. Restage p-invitations app

cf restage p-invitations

6. Retry email invitation via AppsManager

Additional Information

Full error message:

2017-06-16T16:12:30.39-0500 [APP/PROC/WEB/0] OUT Validating emails
2017-06-16T16:12:30.39-0500 [APP/PROC/WEB/0] OUT Validating user token with UAA
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT { FetchError: request to https://login.<system domain>/check_token failed, reason: self signed certificate in certificate chain
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at ClientRequest.<anonymous> (/home/vcap/app/node_modules/node-fetch/index.js:133:11)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at emitOne (events.js:96:13)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at TLSSocket.socketErrorListener (_http_client.js:309:9)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at ClientRequest.emit (events.js:188:7)
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT at emitErrorNT (net.js:1277:8)
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT at process._tickDomainCallback (internal/process/next_tick.js:128:9)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at TLSSocket.emit (events.js:188:7)
2017-06-16T16:12:30.40-0500 [APP/PROC/WEB/0] OUT at emitOne (events.js:96:13)
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT at _combinedTickCallback (internal/process/next_tick.js:80:11)
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT type: 'system',
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT errno: 'SELF_SIGNED_CERT_IN_CHAIN',
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT message: 'request to https://login.<system domain>/check_token failed, reason: self signed certificate in certificate chain',
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT name: 'FetchError',
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT code: 'SELF_SIGNED_CERT_IN_CHAIN' }
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] OUT undefined: undefined
2017-06-16T16:12:30.41-0500 [APP/PROC/WEB/0] ERR (node:80) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 8): RangeError: Invalid status code: 0

Comments

Powered by Zendesk