Deno•2y ago

invalid peer certificate: UnknownIssuer

I'm running two https localhost services on different ports, and used mkcert to install a local CA, and create certs for each service.

One service attempts to fetch from the other, but it's failing with

error trying to connect: invalid peer certificate: UnknownIssuer

error trying to connect: invalid peer certificate: UnknownIssuer

I've set

DENO_TLS_CA_STORE=system

DENO_TLS_CA_STORE=system

.

I can access both services in Chrome and Firefox.

This used to work sometime ago (both MacOS and Deno have both upgraded since).

I'm now on MacOS 14.5 and Deno 1.44.4.

I'm a bit stumped as to why this no longer works, any ideas?

Deno AI Helper•7/2/24, 4:20 PM

Based on the error message , it seems that Deno is not recognizing the local CA that you've installed using . Since you've mentioned that you've set

DENO_TLS_CA_STORE=system

DENO_TLS_CA_STORE=system

, Deno should be using the system's root CA store, which should include the local CA you've added.

However, there are a few things you can check and try to resolve this issue:

Verify the Environment Variable: Ensure that the
```
DENO_TLS_CA_STORE=system
```
```
DENO_TLS_CA_STORE=system
```
environment variable is correctly set in the environment from which you're running Deno. You can check this by running in your terminal.
Check the CA Certificates: Verify that the local CA is indeed present in your system's root CA store. Since you're on macOS, you can check this using the Keychain Access app.
Use the Flag: If setting the environment variable doesn't work, you can try using the flag to explicitly specify the path to your local CA certificate when running your Deno script. According to the documentation:

Here's an example of how to use the flag:

Check for Updates: Since you mentioned that this issue arose after upgrading macOS and Deno, it's possible that there might be a regression or change in behavior. Check the Deno release notes for any known issues or changes related to TLS.
Debugging: If none of the above steps work, you may want to enable more verbose logging to get additional information about the TLS handshake process. This can sometimes provide clues as to why the certificate is not being trusted.

Remember

Deno AI Helper•7/2/24, 4:20 PM

that using the flag is not recommended as it disables certificate validation and is insecure. The documentation explicitly warns against using it:

If after trying these steps the issue persists, it might be helpful to check the Deno GitHub issues for similar problems or to file a new issue with detailed information about your setup and the problem you're encountering.

Helpful Links:
Deno 1.13 Release Notes
Deno 1.7 Release Notes
Deno 1.20 Release Notes
Deno 1.14 Release Notes
TCP/TLS Connector: Ping - Deno by Example
Deno 1.16 Release Notes