Error verifying https certificates

[jalvarezit]

What version of Bun is running?

1.0.12

What platform is your computer?

Linux 5.10.0-23-amd64 x86_64 unknown

What steps can reproduce the bug?

• Install kind

• Create a kubernetes cluster using kind: kind create cluster

• Create a bun project: bun init -y

• Install kubernetes client library: bun install @kubernetes/client-node

• Create the following index.js file:

  import k8s from '@kubernetes/client-node';
  
  const kc = new k8s.KubeConfig();
  
  kc.loadFromDefault();
  
  const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
  
  const main = async () => {
      try {
          const podsRes = await k8sApi.listNamespacedPod('default');
          console.log(podsRes.body);
      } catch (err) {
          console.error(err);
      }
  };
  
  main();

• Execute it with bun: bun index.js

What is the expected behavior?

It should list the pods in the kubernetes cluster, below is the same program file executed with ts-node:

V1PodList {
  apiVersion: 'v1',
  items: [],
  kind: 'PodList',
  metadata: V1ListMeta {
    _continue: undefined,
    remainingItemCount: undefined,
    resourceVersion: '120519',
    selfLink: undefined
  }
}

What do you see instead?

Instead it throws the following error validating the certificates:

UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
 path: "https://127.0.0.1:35781/api/v1/namespaces/default/pods"

Additional information

Other software versions that may be of interest:

• ts-node: v10.9.1
• kind: 0.20.0

[medzhidov]

I have the same bug with local certificates created by mkcert

[lionelquellery]

I have the same issue, but I'm working on Elysia JS a framework based on Bun. When, I have added my keys. I had this error when a run the server.

UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate

Someone has a solution against that?

[david-plugge]

duplicate of #7332

[dpeek]

Adding some hopefully helpful context: I'm also getting this issue when using devcert issued certificates.

From their docs:

When it installs or upgrades, devcert creates a self-signed certificate authority (CA) which it uses to sign all certificates it creates. It will try to register this CA with OS keychains in OSX, Linux, and Windows. However, some HTTP clients (such as Firefox and NodeJS itself) use their own trusted certificate list instead of the operating system's keychain.

To prevent SSL errors with Node, I had to add this to my profile:
export NODE_EXTRA_CA_CERTS="$HOME/Library/Application Support/devcert/certificate-authority/certificate.cert"

I guess bun needs to support this to be a drop in replacement for Node. It would also be cool if bun just supported the OS keychains so you didn't have to do this :)

Edit: looks like loading keychain certs was investigated in #6588 but the result was slow. Perhaps this is why Node went with NODE_EXTRA_CA_CERTS?

For now, export NODE_TLS_REJECT_UNAUTHORIZED=0 (while a bad idea TM) works around the issue.

[malthe]

Suggest rename to "Add support for NODE_EXTRA_CA_CERTS".

[Anprotaku]

Hi, im also having this issue right now and export NODE_TLS_REJECT_UNAUTHORIZED=0 does not fix the issue