http://bugzilla.opensuse.org/show_bug.cgi?id=1000036 Bug ID: 1000036 Summary: devel:languages:nodejs/nodejs: CA certificates broken on SLE11 Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: SLES 11 Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: i@marguerite.su Reporter: adaugherity@tamu.edu QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: amajer@suse.com Found By: --- Blocker: --- After https://build.opensuse.org/request/show/424285 was added, anything using the system CA certificate directory is broken on SLE_11_SP4 (simple test: 'npm ping', which fails with 'Error: unable to get local issuer certificate'). npm is unable to access the registry, and anything in Node making SSL connections fails. This appears to be because the certificate hashing algorithm changed between openssl 0.9.8 (shipped in SLES 11) and 1.0+ (1.0.2 is bundled with Node.js) -- see the -subject_hash and -subject_hash_old options in x509(1ssl). Running npm under strace confirms this: ==== SLES 11 ==== npm http request GET https://registry.npmjs.org/-/ping?write=true stat("/etc/ssl/certs/4a6481c9.0", 0x7fffdc5e9fb0) = -1 ENOENT (No such file or directory) stat("/etc/ssl/certs/73af33e2.0", 0x7fffdc5e9fb0) = -1 ENOENT (No such file or directory) ==== Leap 42.1 ==== stat("/etc/ssl/certs/4a6481c9.0", {st_mode=S_IFREG|0444, st_size=1354, ...}) = 0ches userconfig) ==== On 42.1, that is a symlink to GlobalSign_Root_CA_-_R2.pem, which is indeed the CA for registry.npmjs.org. On SLES 11, however, the hash link is "111e6273.0", which matches the "subject_hash_old": ==== leap421:/etc/ssl/certs $ openssl x509 -noout -subject_hash -subject_hash_old -in GlobalSign_Root_CA_-_R2.pem 4a6481c9 111e6273 ==== Workarounds include copying the CA certificate directory from a Leap/SLE12 machine, or copying the SLE11 certs to a newer machine, running c_rehash, and copying back (optionally to a new directory we point node at); this is better than disabling 'strict-ssl' in npm but not great. Since the system CA cert dir from SLE11 is not usable by the openssl bundled with Node, it's probably best to disable the "use-system-ca-store" patch for SLE11 and let Node.js use its built-in bundle. I'll submit a request in OBS if this is an acceptable solution. -- You are receiving this mail because: You are on the CC list for the bug.