Monday, 31 August 2020

SSL cert problem with XMLHttpRequest in js script - how insecure is insecure?

I'm running a .js script from a cron job that goes and gets some json from a remote server, and recently it started failing. (I'm not exactly sure how recently!). There's no front end to this project at all. It just grabs the json and emails some of it. (Because of the email part, yes, there's login info involved, if that makes any difference.)In debugging, I've found that, instead of returning the json, my XMLHttpRequest is returning an error with statusText: UNABLE_TO_VERIFY_LEAF_SIGNATURE. (If I open the API url directly in the browser, it shows the json correctly, so there's no problem there.)Google tells me that this is Node being upset about the SSL cert - but I'm not sure if I'm the SSL problem, or the server with the json I'm grabbing. Does anyone know?Either way, I can't update the SSL cert easily. The remote server isn't mine and the local server is controlled by IT. (It would take about a week just to get a response - probably a month to get a new SSL cert - and I'd like to get the script working again sooner than that.)Given that there's no front end for the project, is it safe-ish to disable strict_ssl? eg:process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; Another question. Below is my request code.var xhr = new XMLHttpRequest(); xhr.open("GET", url, false); xhr.send(null); If I remove the .send(null), I don't get the SSL error, but I also don't get any json. I thought that was for dealing with old browsers, but apparently not?

Submitted August 31, 2020 at 10:10PM by brakhage

No comments:

Post a Comment