Error: unable to verify the first certificate in nodejs azure queue storage createMessage

Question

I am trying to test my Azure Queue Storage on Azurite emulator on MacOS in a local environment. I wrote a piece of code to send a message, which was to be viewed on Azure Storage Explorer. I am using the https connection string as stated in the Azurite documentation and have set up self-signed rootCA.pem certificate in Azure Storage Explorer. However when I take my code in a file file.js and run node file.js. It gives me the following error message still. Does anyone know what I have done wrongly? Let me know if more information is required.

file.js

'use strict';


const storage = require('azure-storage');
const queueService = storage.createQueueService("DefaultEndpointsProtocol=https;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=https://127.0.0.1:11000/devstoreaccount1;QueueEndpoint=https://127.0.0.1:11001/devstoreaccount1;");

queueService.messageEncoder = new storage.QueueMessageEncoder.TextBase64QueueMessageEncoder();



function testing() {

  queueService.createMessage('emailv2', "Hello world", (error) => {
    if (error) {
      console.log('Error encountered when enqueueing welcome message', error);
      console.log()
    }
  });
}



console.log(testing())

Error message

Error encountered when enqueueing welcome message Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}

Answer 1

Regarding the error, it seems that the root certificate is missing from your Node's CA bundle then chain verify fails. I suggest you add the root certificate in your node runtime.

For example

1. Configure Https for Azurite emulator

   a. generate PEM file and Key file

    mkcert -install
    mkcert 127.0.0.1
   

   b. Strat Azurite emulator with HTTPS

   azurite --cert 127.0.0.1.pem --key 127.0.0.1-key.pem -s -l c:\azurite -d c:\azurite\debug.log --oauth basic
   

2. Code

//add the root certificate in your HTTP angent 
const rootCas = require("ssl-root-cas").create();
rootCas.addFile("<the path of rootCA.pem>");
require("https").globalAgent.options.ca = rootCas;

const storage = require("azure-storage");
const queue = storage.createQueueService(
  "DefaultEndpointsProtocol=https;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=https://127.0.0.1:10000/devstoreaccount1;QueueEndpoint=https://127.0.0.1:10001/devstoreaccount1;"
);
// use our own HTTP anagent 
queue.enableGlobalHttpAgent = true;
// the message encoding I use base64
queue.messageEncoder = new storage.QueueMessageEncoder.TextBase64QueueMessageEncoder();
queue.createMessage("test", "hello", (error) => {
  if (error) throw error;
  console.log("send sucessfully");
});

queue.getMessages("test", (error, serverMessages) => {
  if (error) throw error;
  console.log(serverMessages[0].messageText);
  queue.deleteMessage(
    "test",
    serverMessages[0].messageId,
    serverMessages[0].popReceipt,
    (error) => {
      if (error) throw error;
      console.log("complete the message successfully");
    }
  );
});

For more details, please refer to here and here

Answer 2

I should say that @Jim Xu answer is completely correct (and it deserves an upvote more then my little addition), except that you do not want to do //add the root certificate in your HTTP agent part in server environment.

Much gentler way do that is the to set NODE_EXTRA_CA_CERTS, the env variable to load additional root CA. this is mentioned in both ssl-root-cas and mkcert docs. Only Azurite docs decided to emit this fact as obvious.

If you executed mkcert -install on the first step, the location of the root CA can be retrieved with mkcert -CAROOT.

The only thing left is to figure out how to set env variable before running node. If you are using vs code launch.json node task, you can add 'args' parameters there. Or, if you are running local azure function ('func start') use local.setting.json/Values section.