Mark G
Mark G•3mo ago

invalid peer certificate: UnknownIssuer

I'm running two https localhost services on different ports, and used mkcert to install a local CA, and create certs for each service. One service attempts to fetch from the other, but it's failing with error trying to connect: invalid peer certificate: UnknownIssuer I've set DENO_TLS_CA_STORE=system. I can access both services in Chrome and Firefox. This used to work sometime ago (both MacOS and Deno have both upgraded since). I'm now on MacOS 14.5 and Deno 1.44.4. I'm a bit stumped as to why this no longer works, any ideas?
2 Replies
Deno AI Helper
Deno AI Helper•3mo ago
Based on the error message invalid peer certificate: UnknownIssuer, it seems that Deno is not recognizing the local CA that you've installed using mkcert. Since you've mentioned that you've set DENO_TLS_CA_STORE=system, Deno should be using the system's root CA store, which should include the local CA you've added. However, there are a few things you can check and try to resolve this issue: 1. Verify the Environment Variable: Ensure that the DENO_TLS_CA_STORE=system environment variable is correctly set in the environment from which you're running Deno. You can check this by running echo $DENO_TLS_CA_STORE in your terminal. 2. Check the CA Certificates: Verify that the local CA is indeed present in your system's root CA store. Since you're on macOS, you can check this using the Keychain Access app. 3. Use the --cert Flag: If setting the environment variable doesn't work, you can try using the --cert flag to explicitly specify the path to your local CA certificate when running your Deno script. According to the documentation: 
   You can use the --cert flag to do this for one-off certificates.
   
   You can use the --cert flag to do this for one-off certificates.
Here's an example of how to use the --cert flag: 
   deno run --allow-net --cert=./path/to/your/local_ca.pem your_script.ts
   
   deno run --allow-net --cert=./path/to/your/local_ca.pem your_script.ts
4. Check for Updates: Since you mentioned that this issue arose after upgrading macOS and Deno, it's possible that there might be a regression or change in behavior. Check the Deno release notes for any known issues or changes related to TLS. 5. Debugging: If none of the above steps work, you may want to enable more verbose logging to get additional information about the TLS handshake process. This can sometimes provide clues as to why the certificate is not being trusted. Remember
Deno AI Helper
Deno AI Helper•3mo ago
that using the --unsafely-ignore-certificate-errors flag is not recommended as it disables certificate validation and is insecure. The documentation explicitly warns against using it: 
   The --unsafely-ignore-certificate-errors flag optionally accepts a list of hostnames for which the verification should be disabled. If no argument is provided then no verification of certificates is performed. This is very insecure, and should not be used.
   
   The --unsafely-ignore-certificate-errors flag optionally accepts a list of hostnames for which the verification should be disabled. If no argument is provided then no verification of certificates is performed. This is very insecure, and should not be used.
If after trying these steps the issue persists, it might be helpful to check the Deno GitHub issues for similar problems or to file a new issue with detailed information about your setup and the problem you're encountering. 🦕
Helpful Links: Deno 1.13 Release Notes Deno 1.7 Release Notes Deno 1.20 Release Notes Deno 1.14 Release Notes TCP/TLS Connector: Ping - Deno by Example Deno 1.16 Release Notes