"Unable to get local issuer certificate" running Yarn Application
search cancel

"Unable to get local issuer certificate" running Yarn Application

book

Article ID: 202281

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSSA agent installed and used to access the internet via Cloud Secure Web Gateway.

  • Running Yarn Package Manager Application on Windows clients
  • Running either 'yarn install' or 'yarn upgrade' command triggers the following error

Disabling WSSA allows the Application to run normally.

Environment

Cloud Secure Web Gateway

WSS Agent

Cause

Although an issue is seen with the WSSA agent, the same problem can manifest itself with any 'SSL inspected' Application going through WSS that expects the origin server certificate chain to root.

Yarn Application has built-in logic to verify server certificate is issued by its CA

With WSS SSL inspection, the Proxy intercepts the server cert and chain from the Origin server, and sends down a server certificate with the same common name, but signed by the WSS CA

Any client that does certificate pinning and/or expects the server certificate to be that of the physical origin server will fail with SSL inspection enabled

Resolution

Add an SSL inspection bypass for the destination domain.

Additional Information

Identifying the domain to bypass SSL inspection may be easy or difficult depending on the application and client.

In some cases, the Application may include details about the domain we are having issues with, and we simply take this and add it to the SSL bypass domain list.

In other cases, as with the one above, the Application does not give any such information. To identify the domain, one needs to do the following:

  • Disable the agent
  • Run Wireshark on the workstation where the user having issues with the Application
  • Access the site directly which will work
  • Look at each instance of an SSL handshake in the trace - hopefully, there will not be too many
    • 'tls.handshake.extension.type == 0' filter will give each client hello with corresponding SNI (Server Name Indication) extension that includes the domain we need to SSL bypass
    • Search for a matching SNI that correlates to the Application (registry.yarnpkg.com in our case above)
  • Add this to the SSL bypass list of WSS

Here's an example of what the PCAP looked like when we failed 

  • TCP handshake completes successfully
  • SSL handshake appears to be completed successfully
  • No Application data was sent by the client, but a TCP FIN was to close the connection instead.
  • The TCP FIN was triggered by the client because the certificate did not match.

Powered by Wolken Software