UNABLE_TO_VERIFY_LEAF_SIGNATURE

Hi all,

I try to use Fetch to extend WiX functionality by using my own application server.
It works correctly when I use http, but when I try to use https I got the UNABLE_TO_VERIFY_LEAF_SIGNATURE error (the full error description can be found the end of this post). The SSL certificate is COMODO certificate and is generated through https://www.cyberssl.com/, the certificate is correctly recognized by Chrome and MS Edge.

How this issue should be resolved at the WiX environment?

Note: https://my.application.server.com is not the real URL that we use, we don’t want to publish the the real one at public just now, so don’t try to follow it:)

{ FetchError: request to https://my.application.server.com failed, reason: unable to verify the first certificate at ClientRequest. (/elementory/g/backend/wix/node_modules/wix-fetch/node_modules/node-fetch/index.js:133:11) at emitOne (events.js:116:13) at ClientRequest.emit (events.js:211:7) at TLSSocket.socketErrorListener (_http_client.js:387:9) at emitOne (events.js:116:13) at TLSSocket.emit (events.js:211:7) at emitErrorNT (internal/streams/destroy.js:64:8) at _combinedTickCallback (internal/process/next_tick.js:138:11) at process._tickDomainCallback (internal/process/next_tick.js:218:9) name: ‘FetchError’, message: ‘request to https://my.application.server.com failed, reason: unable to verify the first certificate’, type: ‘system’, errno: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’, code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’ }
null

The problem seems to be that the certificate is not trusted by the client. I’m somewhat familiar with Comodo, and I would say that the most likely scenario causing this problem is that the certificate is self-signed.

Yes, the problem is definitely is that certificate is not trusted by client - WiX at this case, although it is trusted by Chrome and MS Edge - I get zero warnings due access to the web server through both browsers.
What do you mean by self-signed certificate? as I understand the meaning “self-signed” is certificate that is not signed by any CA, for example created with OpenSSL - but at this case each browser blocks the access and provides an alert, it is not the case browsers are ok with the certificate - since COMODO is a valid CA (as I understand).

At any case, what should be the right solution for this issue?

The client is Wix - or at least a Wix web site. Browsers have their rules for deciding trust, and servers have their rules. Apparently the server has a problem with the certificate on the fetch. You need to check with the 3rd party service provider to work this out.

If you need further details or clarification, I would recommend contacting the Wix support team , as they know best.

Hi Yisrael,

Thanks a lot for your help, after you pointed that it behaves like self-signed certificate I understood that I did to used the CA certificate on the server side.
The issue was resolved by adding the CA certificate as SSLCertificateChainFile parameter to ssl.conf on the server side.

Best regards,

Dima

Wow! Glad you got this worked out. I haven’t dealt with this kind of stuff for a good number of years now. Glad I was able to remember at least some of it. :beers:

Hi, Dmitry. I’m facing the same issue. How did you solve it exactly?