Node.js request CERT_HAS_EXPIRED
Categories:
Resolving 'CERT_HAS_EXPIRED' Errors in Node.js Applications
Learn to diagnose and fix common 'CERT_HAS_EXPIRED' errors when making HTTPS requests in Node.js, often encountered with self-signed certificates or outdated CAs.
The 'CERT_HAS_EXPIRED' error is a common hurdle for Node.js developers, especially when interacting with internal services, development environments, or APIs secured with self-signed SSL/TLS certificates. This error indicates that the certificate presented by the server has passed its validity period, leading Node.js's built-in HTTPS module to reject the connection for security reasons. Understanding the root causes and appropriate solutions is crucial for maintaining secure yet functional applications.
Understanding the 'CERT_HAS_EXPIRED' Error
When a Node.js application attempts to establish an HTTPS connection, it performs a series of checks on the server's SSL/TLS certificate. One of these critical checks is certificate expiration. Certificates are issued with a specific validity period, and once this period elapses, the certificate is considered expired. Browsers and applications, including Node.js, are designed to reject connections to expired certificates to prevent potential security vulnerabilities, as an expired certificate might indicate a lack of maintenance or a compromised system.
This error often manifests in scenarios where:
- Self-signed certificates are used in development or internal environments and haven't been renewed.
- Internal Certificate Authorities (CAs) have issued certificates that have expired.
- Third-party APIs or services have let their certificates expire (less common but possible).
- System clock issues on the client or server side can sometimes cause misinterpretations of certificate validity.
flowchart TD
A[Node.js Client] --> B{HTTPS Request}
B --> C[Server]
C -- Presents SSL/TLS Certificate --> B
B --> D{Validate Certificate?}
D -- Check Expiration Date --> E{Is Certificate Expired?}
E -- Yes --> F["CERT_HAS_EXPIRED" Error]
E -- No --> G[Connection Established]
F --> H[Request Fails]Flowchart illustrating the certificate validation process leading to 'CERT_HAS_EXPIRED'.
Diagnosing and Initial Troubleshooting
Before attempting solutions, it's important to confirm the certificate's status. You can use command-line tools or browser developer tools to inspect the certificate of the target server. For example, openssl s_client -connect example.com:443 can provide detailed certificate information, including its validity dates.
If the certificate is indeed expired, the ideal solution is to have the server administrator renew or replace it. However, in development or specific internal scenarios, this might not be immediately feasible, or you might need a temporary workaround.
openssl s_client -connect your-server.com:443 < /dev/null | openssl x509 -noout -dates
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0') is a significant security risk and should never be used in production environments. It bypasses all SSL/TLS security checks, making your application vulnerable to man-in-the-middle attacks. Use it only for temporary debugging in isolated development environments.Solutions for 'CERT_HAS_EXPIRED'
There are several approaches to handle this error, ranging from best practices to temporary workarounds. The most appropriate solution depends on your environment and the nature of the certificate.
1. Renew or Replace the Certificate
The most secure and recommended solution is to renew the expired certificate on the server. If it's a self-signed certificate, generate a new one with a valid expiration date. If it's issued by a CA, follow the CA's renewal process. This ensures continued secure communication without compromising integrity.
2. Provide a Custom CA Certificate
If you are connecting to a server using a self-signed certificate or a certificate issued by an internal CA that is not trusted by default by Node.js, you can explicitly provide the CA certificate. This tells Node.js to trust that specific CA, even if the certificate it issued is self-signed or from a non-public CA. This is a secure way to handle internal certificates.
3. Temporarily Disable Certificate Validation (Development Only)
For development or testing purposes, you might temporarily disable certificate validation. This is done by setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'. Remember, this is highly insecure and should never be used in production. It's a quick fix for debugging, not a long-term solution.
4. Use rejectUnauthorized: false in Request Options
Similar to the environment variable, many HTTP client libraries (like axios or the built-in https module) allow you to pass an option rejectUnauthorized: false to disable certificate validation for a specific request. Again, this carries the same security risks as the environment variable and should be used with extreme caution and only in non-production contexts.
const https = require('https');
const fs = require('fs');
// Option 1: Providing a custom CA certificate
// This is the recommended approach for internal/self-signed CAs
const caCert = fs.readFileSync('/path/to/your/ca-certificate.pem');
const optionsWithCA = {
hostname: 'your-internal-server.com',
port: 443,
path: '/',
method: 'GET',
ca: [caCert] // Provide the CA certificate here
};
https.request(optionsWithCA, (res) => {
console.log('statusCode:', res.statusCode);
res.on('data', (d) => process.stdout.write(d));
}).on('error', (e) => {
console.error('Error with custom CA:', e);
}).end();
// Option 2: Temporarily disabling validation (DANGEROUS - DEVELOPMENT ONLY)
// process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
// const optionsInsecure = {
// hostname: 'your-expired-server.com',
// port: 443,
// path: '/',
// method: 'GET'
// };
// https.request(optionsInsecure, (res) => {
// console.log('statusCode:', res.statusCode);
// res.on('data', (d) => process.stdout.write(d));
// }).on('error', (e) => {
// console.error('Error with insecure option:', e);
// }).end();
// // Remember to reset it if you set it globally
// // delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
// Option 3: Using rejectUnauthorized: false for specific requests (DANGEROUS - DEVELOPMENT ONLY)
const optionsRejectUnauthorized = {
hostname: 'your-expired-server.com',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: false // Disable validation for this request
};
https.request(optionsRejectUnauthorized, (res) => {
console.log('statusCode:', res.statusCode);
res.on('data', (d) => process.stdout.write(d));
}).on('error', (e) => {
console.error('Error with rejectUnauthorized:', e);
}).end();
.pem file contains the full certificate chain if necessary. This helps Node.js build a complete trust path to validate the server's certificate.By understanding the implications of each solution, you can choose the most appropriate method to resolve 'CERT_HAS_EXPIRED' errors in your Node.js applications while maintaining an acceptable level of security for your specific environment.