Home > OS >  Node- / ExpressJS - Could not obtain grant code: unable to get local issuer certificate
Node- / ExpressJS - Could not obtain grant code: unable to get local issuer certificate

Time:02-18

I'm building a WebApp with Node- & ExpressJS. Currently I'm trying to connect my app to our company's Keycloak with the keycloak-connect module. I configured it as mentioned in different tutorials and it works (atleast mostly).

When I connect to my WebApp, I receive the keycloak login screen and the login procedure is successful (session created on keycloak). After the login procedure and the redirect I receive an "Access denied" error and in the logs "Could not obtain grant code: unable to get local issuer certificate".

WebApp runs on port 443 with valid certificates

I've googled everything I could and tried following solutions:

-- Disable rejecting unauthorized TLS --

Disabled TLS Rejection for unauthorized certificates with the node envorinment variable:

  • process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;

Works but isn't very secure... Log.

-- Add an extra CA certificate --

Installed dotenv module and set following env variable in .env file:

  • NODE_EXTRA_CA_CERTS='/etc/pki/tls/cert.pem' (& ca-bundle.crt)

Included it in app.js with "require('dotenv').config();", doesn't work... Also tried to set it as a system environment variable with export.

It stands behind a proxy but I also configured express to trust all proxies with "app.set('trust proxy', true);".

-- Versions --

Node - v16.13.1

Express - ~4.16.1

Keycloak-connect - ^16.1.1

I've seen this problem on many different pages and they're mostly not fully resolved... Would be nice to find a solution for this problem.

Thanks in advance! :)

Yannic

CodePudding user response:

Well I've found a solution and it works perfectly!

This comment on a GitHub issue describes, how to send ca files with the HTTPS server from NodeJS.

You can enter your ca files / bundles in an array:

const trustedCa = [
    '/etc/pki/tls/certs/ca-bundle.crt',
    '/etc/pki/tls/cert.pem'
];

Then read them with fileSync and set them as the globalAgent.options.ca option for the HTTPS server:

https.globalAgent.options.ca = [];
for (const ca of trustedCa) {
    https.globalAgent.options.ca.push(fs.readFileSync(ca));
}

And that's all that needs to be done! Now I can login via Keycloak and it successfully redirects me to my WebApp without any errors.

Hopefully this helps.

Yannic

Page link:https//www.codepudding.com/os/306136.html

Prev:Sharing a folder between react & node typescript
Next:How to use a sequelize transaction to delete multiple different data along with some conditions in e
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding