Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Sep 11, 2017

unable to verify the first certificate with node.js

I am trying to read a datagroup using node.js and am receiving the message "unable to verify the first certificate".

 

I have confirmed the command manually with curl and it does return the datagroup as expected:

 

curl -sk -uadmin:admin -v https://127.0.0.1/mgmt/tm/ltm/data-group/internal/~acc~dgroup

result:   …"records":[{"name":"test","data":"test"}]

f5_data_group.js has the following

 

var bigip = new iControl({
  host: '127.0.0.1',
  proto: 'https',
  port: '443',
  username: 'admin',
  pass: 'admin',
  strict: 'false',
  debug: 'true'
});

var dgPath = '/ltm/data-group/internal/~acc~dgroup';
exports.getDataGroup = function(callback) {
  bigip.list(dgPath, function(err, res) {
      console.log( 'bigip.list dgPath:',dgPath,'err:',err);
    callback(res);
  });
};

Console.log is giving the following message:

 

plugin[/acc/f5_mfa_plugin.f5_mfa_extension] bigip.list dgPath: /ltm/data-group/internal/~acc~dgroup err: { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

I assume it might have to do with using self signed certificate on the big-ip however strict is set to false above.

 

Any suggestions?

 

APM 12.1.2

 

devops
iControl
iRulesLX
  • Eric_Flores_131's avatar
    Eric_Flores_131
    Icon for Cirrostratus rankCirrostratus
    Sep 11, 2017

    Hi David, TMUI (the web GUI listening on port 443) only listens on port 443 and TLS is required. This is the only way to talk to iControl REST from off box.

     

    However, when calling localhost you can call iControl REST directly on port 8100, bypassing TMUI and forgoing the need for TLS. This will work with basic auth, token auth would be possible but would be a different workflow.

     

    One FYI to add about making REST calls to data groups (which you may already know); data groups are collections (vs sub-collections). What this means that if you want to update even one value, your REST call must contain all records including changes (not just the changed records).

     

    • David_Gill's avatar
      David_Gill
      Icon for Cirrus rankCirrus
      Sep 12, 2017

      Very cool - I didn't know you could do this and it works fine from the console:

       

      curl -uadmin:admin http://localhost:8100/mgmt/tm/ltm/data-group/internal/~acc~dgroup

      I made the following change:

       

      var bigip = new iControl({
  host: 'localhost',
  proto: 'http',
  port: '8100',
  username: 'admin',
  pass: 'admin',
  strict: 'false',
  debug: 'true'
});

      but now get a "HPE_INVALID_CONSTANT" error:

       

      bigip.list dgPath: /ltm/data-group/internal/~acc~dgroup err: { [Error: Parse Error] bytesParsed: 0, code: 'HPE_INVALID_CONSTANT' }

      I am true noob using node.js and don't really know how to debug this very well yet. Any suggestions are appreciated.

       

      Thanks,

       

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Sep 12, 2017

    Which node library are you using? I have a Node.js script using the core https module accessing the REST interface without a problem. I did have to set the rejectUnauthorized attribute to not to validate the self cert.

     

    A section of the code looks like this:

     

      var http_opts = {
    host: BIGIP,
    method: verb,
    port: 443,
    rejectUnauthorized: 0,
    path: resource
  };

  var http_headers = {
    'Content-Type': 'application/json'
  };

  // Authentication Method

user = USER;
pass = PASS;


  if ( user && pass ) { http_opts["auth"] = user + ":" + pass; }
  else if ( token )   { http_headers["X-F5-Auth-Token"] = token; }

  // BODY?
  if ( body ) { http_headers["Content-Length"] = body.length; }

  http_opts["headers"] = http_headers;

  var content = "";
  var req = https.request(http_opts, function(res) {