Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAP service account certificate error #1537

Open
peteole opened this issue Apr 12, 2023 · 1 comment
Open

IAP service account certificate error #1537

peteole opened this issue Apr 12, 2023 · 1 comment
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@peteole
Copy link

peteole commented Apr 12, 2023

Environment details

  • OS: MacOs/Google Cloud Functions
  • Node.js version: 16
  • npm version: 9.5.0
  • google-auth-library version: 8.7.0

Steps to reproduce

  1. Create an IAP
  2. Create a client like here, filling in your values

The idtoken will be fetched without issues. I also verified that the token works by using it in a curl request. However, the client throws the following error:

FetchError: request to https://my-protected-domain.com/mypage failed, reason: unable to verify the first certificate
    at ClientRequest.<anonymous> (/<me>/node_modules/node-fetch/lib/index.js:1491:11)
    at ClientRequest.emit (node:events:513:28)
    at TLSSocket.socketErrorListener (node:_http_client:502:9)
    at TLSSocket.emit (node:events:513:28)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  type: 'system',
  errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
...

It is interesting to note that this happens in the nodejs client and the python client, but not in the Golang client. For the python client, setting verify=False in the request solves the issue (in an insecure way).
The service account is verified by a keypair via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
This happens both locally and in a cloud function.
@peteole peteole added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Apr 12, 2023
@danielbankhead danielbankhead removed their assignment Jul 12, 2023
@eshaanmoorjani
Copy link

eshaanmoorjani commented Sep 11, 2024
edited
Loading

@danielbankhead come back and fix pls i need u rn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielbankhead @peteole @eshaanmoorjani