Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] SSL errors when run in mode with node 10.x env

See original GitHub issue

Environment

  • chrome-aws-lambda Version: 2.1.1
  • puppeteer / puppeteer-core Version: 2.1.1
  • OS: Ubuntu 18.04
  • Node.js Version: 10.19.0
  • Lambda / GCF Runtime: GCF

Expected Behavior

Https page are crawling properly

Current Behavior

Getting ssl errors. This happens both of locally and on CGF. The same script was working well with traditional puppeteer.

Possible Solution

That’s also happening on CGF, not related to my machine

Steps to Reproduce

Take the example from the README:

const chromium = require('chrome-aws-lambda');

const main = async () => {
    let result = null;
    let browser = null;

    try {
        browser = await chromium.puppeteer.launch({
            args: chromium.args,
            defaultViewport: chromium.defaultViewport,
            executablePath: await chromium.executablePath,
            headless: chromium.headless,
        });

        let page = await browser.newPage();

        await page.goto('https://example.com');

        result = await page.title();
    } finally {
        if (browser !== null) {
            await browser.close();
        }
    }

    console.log(result);
};

main();
  • ✔️ run it with node, without specifying env variables. It works well:
node test.js
  • 🚫 run it with node, with env AWS_EXECUTION_ENV. It fails with ssl errors:
AWS_EXECUTION_ENV=AWS_Lambda_nodejs10.x node test.js

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
alixaxelcommented, May 9, 2020

@gsouf Apologies for only now properly following up on this, but didn’t manage to find the time before.

After reading your question more closely I realized that you’re actually running on GCP! 😅 The lines you mentioned overlay the new AWS Lambda 2 environment with missing fonts and shared libraries from the Chromium sysroot, but they should only be executed on AWS Lambda, and not GCP.

So simply not setting the AWS_EXECUTION_ENV should make your problem go away. 🙂

@tnolet The underlying cause is libnss error code 8179:

CERT_PKIXVerifyCert failed err=-8179

image

As you can see the certificate chain is incomplete, if you test with cURL you can see that it also fails:

$ curl -v https://newborn.seha.sa/
*   Trying 95.177.221.251:443...
* Connected to newborn.seha.sa (95.177.221.251) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /var/cache/ca-certs/anchors
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

However https://www.seha.sa/account/login (after the redirect) works fine.

Same thing for the issue reported in #90:

$ curl -v https://portal.incometaxindiaefiling.gov.in/e-Filing/UserLogin/LoginHome.html?lang=eng
*   Trying 115.114.126.193:443...
* Connected to portal.incometaxindiaefiling.gov.in (115.114.126.193) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /var/cache/ca-certs/anchors
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And https://www.incometaxindiaefiling.gov.in/home (before the redirect) works fine.

I don’t understand why rolling back to Node 8 solves the issue for you (and I can no longer spin up Node 8 Lambdas) but it could be that either Node or Chromium are more lax about the certificates (unlikely) or that the provisioned libnss ships with additional certificates in the system CA cert DB (more likely).

Either way, I’d recommend to upgrade and set ignoreHTTPSErrors: true in this case.

1reaction
tnoletcommented, Mar 6, 2020

I’m seeing similar behaviour. We are running chrome-lambda 1.19 on Node10x in canary mode on production. For example, this script:

const puppeteer = require("puppeteer");
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto("https://newborn.seha.sa/");
await browser.close();

will throw:

ERROR - (node:23) UnhandledPromiseRejectionWarning: Error: net::ERR_CERT_AUTHORITY_INVALID at https://newborn.seha.sa/

Switching back to node 8 fixes it. Also, using ignoreHTTPSErrors: true fixes it…but should we really want that?

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Resolve Certificate Errors in a NodeJS App with SSL ...
A practical guide to resolving SSL certificate errors ... In a production environment, NodeJs App typically sits behind a reverse proxy like Nginx...
Read more >
How to fix SSL certificate error when running Npm on Windows?
So the solution is explicitly set root certificate for https://registry.npmjs.org . We can use openssl to make sure that the reason bellow is...
Read more >
SSL error when making fetch() request from Node to Caddy
I run php-based backend API and Remix.js frontend. Both behind Caddy. Caddy routes are as follows: example.com → goes to and gets handled ......
Read more >
Node.js Runtime Environment - App Engine - Google Cloud
js version in your package.json file, your deployment will fail with an error message. Dependencies. During deployment, the runtime installs your dependencies ...
Read more >
Changelog - Cypress Documentation
Fixed an issue where the Cypress migration wizard would fail to run in global ... Updated the error messaging to provide more context...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Failed to launch chrome on nodejs 12.x

Next page

[BUG] Browser is not downloaded. Run "npm install" or "yarn install"