Error: unable to verify the first certificate

[dreami2023]

Describe the current behavior
I want to use peertube version 4 and minio together. I installed on two separate servers. But the transcoded video cannot be loaded onto the minio. I am getting ssl certificate error. Root certificate is installed in the system.
With the minio client, it is possible to upload using the certificate in the system.
Access is also provided using s3cmd.
But it is not possible to transfer from peertube to minio server.

• PeerTube instance:
  • URL: on-premise
  • version: 4.0
  • NodeJS version:14.18.3
  • Ffmpeg version: 4.4.1
  • OS ubuntu 20.04.3
  • minio v.2022-02-01

Feb 02 10:46:28 hbizsl23 peertube[4591]: "payload": {
Feb 02 10:46:28 hbizsl23 peertube[4591]: "videoUUID": "63d0d607-1705-4bd9-97cd-b92b2220345e",
Feb 02 10:46:28 hbizsl23 peertube[4591]: "isNewVideo": true
Feb 02 10:46:28 hbizsl23 peertube[4591]: },
Feb 02 10:46:28 hbizsl23 peertube[4591]: "err": {
Feb 02 10:46:28 hbizsl23 peertube[4591]: "stack": "Error: unable to verify the first certificate\n at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)\n at TLSSocket.emit (events.js:400:28)\n at TLSSocket.emit (domain.js:475:12)\n at TLSSocket._finishInit (_tls_wrap.js:937:8)\n at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)",
Feb 02 10:46:28 hbizsl23 peertube[4591]: "message": "unable to verify the first certificate",
Feb 02 10:46:28 hbizsl23 peertube[4591]: "code": "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
Feb 02 10:46:28 hbizsl23 peertube[4591]: "$metadata": {
Feb 02 10:46:28 hbizsl23 peertube[4591]: "attempts": 1,
Feb 02 10:46:28 hbizsl23 peertube[4591]: "totalRetryDelay": 0
Feb 02 10:46:28 hbizsl23 peertube[4591]: }
Feb 02 10:46:28 hbizsl23 peertube[4591]: }
Feb 02 10:46:28 hbizsl23 peertube[4591]: }

[Chocobozzz]

Root certificate is installed in the system.

Where is it installed?

Could you try https://nodejs.org/api/cli.html#node_extra_ca_certsfile?

[dreami2023]

I did it based on adding ubuntu 20.04 custom ca certificate.
https://ubuntu.com/server/docs/security-trust-store
Shouldn't this process be sufficient?

[Chocobozzz]

Shouldn't this process be sufficient?

It seems nodejs does not load system certs, and you need to specify custom ones using https://nodejs.org/api/cli.html#node_extra_ca_certsfile

[dreami2023]

I added the script below to /etc/profile.d.
But I keep getting the same error.
npm config set cafile /temp/ca/bundled.pem --global
yarn config set cafile /temp/ca/bundled.pem --global
echo "cafile=/temp/ca/bundled.pem" >> ~/.npmrc
export NODE_EXTRA_CA_CERTS=/temp/ca/bundled.pem

[Chocobozzz]

Prefer to add env in https://github.com/Chocobozzz/PeerTube/blob/develop/support/systemd/peertube.service#L8

[dreami2023]

hi,
I solved the certificate problem thanks to your support.
And I have one more question
It provides access to the Peertube minio server by adding the package name to the hostname.
bucket name: hls
s3 host: minio.bmsxl..com
access path:https://hls.minio.bmsxl..com/...
When accessing with minio clinet https://minio.bmsxl..com/hls/..
reaches form.
I can't use wilcard certificate.
In this case, it gives the ERR_CERT_COMMON_NAME_INVALID error because I have an ssl certificate for https://minio.bmsxl..com.
Can you find a solution for this?
Or something like peertube minio client integration is on the agenda?
Thanks again for your support.

[Chocobozzz]

I solved the certificate problem thanks to your support.

How did you do?

In this case, it gives the ERR_CERT_COMMON_NAME_INVALID error because I have an ssl certificate for https://minio.bmsxl..com/.

Then just generate a certificate dedicated to your bucket: hls.minio.bmsxl.com

See also: #4455