Home > OS >  Node- / ExpressJS - Could not obtain grant code: unable to get local issuer certificate
Node- / ExpressJS - Could not obtain grant code: unable to get local issuer certificate

Time:02-18

I'm building a WebApp with Node- & ExpressJS. Currently I'm trying to connect my app to our company's Keycloak with the keycloak-connect module. I configured it as mentioned in different tutorials and it works (atleast mostly).

When I connect to my WebApp, I receive the keycloak login screen and the login procedure is successful (session created on keycloak). After the login procedure and the redirect I receive an "Access denied" error and in the logs "Could not obtain grant code: unable to get local issuer certificate".

WebApp runs on port 443 with valid certificates


I've googled everything I could and tried following solutions:

-- Disable rejecting unauthorized TLS --

Disabled TLS Rejection for unauthorized certificates with the node envorinment variable:

  • process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;

Works but isn't very secure... Log.

-- Add an extra CA certificate --

Installed dotenv module and set following env variable in .env file:

  • NODE_EXTRA_CA_CERTS='/etc/pki/tls/cert.pem' (& ca-bundle.crt)

Included it in app.js with "require('dotenv').config();", doesn't work... Also tried to set it as a system environment variable with export.


It stands behind a proxy but I also configured express to trust all proxies with "app.set('trust proxy', true);".


-- Versions --

Node - v16.13.1

Express - ~4.16.1

Keycloak-connect - ^16.1.1


I've seen this problem on many different pages and they're mostly not fully resolved... Would be nice to find a solution for this problem.

Thanks in advance! :)

Yannic

CodePudding user response:

Well I've found a solution and it works perfectly!

This comment on a GitHub issue describes, how to send ca files with the HTTPS server from NodeJS.


You can enter your ca files / bundles in an array:

const trustedCa = [
    '/etc/pki/tls/certs/ca-bundle.crt',
    '/etc/pki/tls/cert.pem'
];

Then read them with fileSync and set them as the globalAgent.options.ca option for the HTTPS server:

https.globalAgent.options.ca = [];
for (const ca of trustedCa) {
    https.globalAgent.options.ca.push(fs.readFileSync(ca));
}

And that's all that needs to be done! Now I can login via Keycloak and it successfully redirects me to my WebApp without any errors.

Hopefully this helps.

Yannic

  • Related