Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure axios to use SSL certificate?

I'm trying to make a request with axios to an api endpoint and I'm getting the following error: Error: unable to verify the first certificate

It seems the https module, which axios uses, is unable to verify the SSL certificate used on the server.

When visiting the server with my browser, the certificate is valid and I can see/download it. I can also make requests to the api on my browser through https.

I can work around it by turning off verification. This code works.

const result = await axios.post(     `https://${url}/login`,     body,     {       httpsAgent: new https.Agent({         rejectUnauthorized: false       })     }   ) 

Problem is, this doesn't verify the SSL certificate and therefore opens up security holes.

How can I configure axios to trust the certificate and correctly verify it?

like image 530
Jemi Salo Avatar asked Jul 16 '18 14:07

Jemi Salo


People also ask

How do I add a certificate to Axios request?

To configure axios to use SSL certificate, we set the rejectUnauthorized option to false and add our certificate files as the options for axios. const httpsAgent = new https. Agent({ rejectUnauthorized: false, cert: fs. readFileSync("./usercert.

Does Axios support https?

Axios is an http(s) client and http clients usually participate in TLS anonymously.

How do I disable Axios SSL verification?

You can configure axios to use a custom agent and set rejectUnauthorized to false for that agent: // At instance level const instance = axios. create({ httpsAgent: new https. Agent({ rejectUnauthorized: false }) }); instance.

Does Axios use TLS?

If you are using axios in a browser, then it will use xhr. js, and TLS support will be provided by the browser.


2 Answers

Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.

Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.

The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.

// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE const httpsAgent = new https.Agent({ rejectUnauthorized: false }); 

This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what's worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server's identity, their poor client has no way of knowing if the connection they just made to the company's intranet has bad actors listening on the line.

If the service has a public SSL cert, the https.Agent usually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.com with little fuss.

If the service has a private SSL cert (self signed for testing purposes or one signed by your company's private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:

const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE }); 

where MY_CA_BUNDLE is an array of CA certs with both the server cert for the endpoint you want to hit and that cert's complete cert chain in .pem format. You must include all certs in the chain up to the trust root.


Where are these options documented?

HTTPS is the HTTP protocol over TLS/SSL. In Node.js this is implemented as a separate module.

Therefore options passed to the https.Agent are a merge of the options passed to tls.connect() and tls.createSecureContext().

like image 60
srquinn Avatar answered Sep 17 '22 11:09

srquinn


Create a custom agent with SSL certificate:

const httpsAgent = new https.Agent({   rejectUnauthorized: false, // (NOTE: this will disable client verification)   cert: fs.readFileSync("./usercert.pem"),   key: fs.readFileSync("./key.pem"),   passphrase: "YYY" })  axios.get(url, { httpsAgent })  // or  const instance = axios.create({ httpsAgent }) 

From https://github.com/axios/axios/issues/284

like image 28
Fabio Espinosa Avatar answered Sep 19 '22 11:09

Fabio Espinosa