26 March 2021

Evoko Home, Exchange 2016 and "UNABLE_TO_VERIFY_LEAF_SIGNATURE" issue

Evoko is a perfect room booking system. On the first step (Log In to Exchange 2016 server) of Evoko Home server (version 2.5.0.93 / Windows edition) installation I faced with an error "UNABLE_TO_VERIFY_LEAF_SIGNATURE".

Checkbox "Allow untrusted Exchange server SSL/TLS certificates" skip the error, but I want all certificates to be trusted. The Exchange server uses a certificate issued by local CA. The certificate is not expired, has all needed CNs and fully supported by browsers and Windows (cause a Root CA certificate is stored in "Trusted Root Certification Authorities" container).


Wireshark shows that the last packet in the session was RST from Exchange. Unfortunately, this did not give me useful information.


I had no experience with Node.js up to this point, therefore I spent quite a lot of time to find a solution.

Most of advices in the Internet are regarding "UNABLE_TO_VERIFY_LEAF_SIGNATURE" issue linked with npm, but it is a repository for Node.js and used for package installation, etc. Options "npm config set NODE_EXTRA_CA_CERTS='RootCACert.pem'" and "npm config set cafile 'RootCACert.pem'" didn't help.

In my case it is application and I can't change a code.

Evoko Home uses Node.js, therefore it is necessary to add the Root CA certificate into Node.js.

Solution

The solution is to add "NODE_EXTRA_CA_CERTS" Windows system variable with the path to Root CA certificate (or a chain with Intermediate CA) in PEM (Base64 / CRT / CER) format.


You can do this in several ways. Two options: 

  • CMD with Administrator rights:

setx NODE_EXTRA_CA_CERTS "C:\temp\Root_Cert.pem" -m

  • Powershell with Administrator rights:

[System.Environment]::SetEnvironmentVariable('NODE_EXTRA_CA_CERTS','C:\temp\Root_Cert.pem', [System.EnvironmentVariableTarget]::Machine)


After adding the variable, you need to restart the server or the application.

The NODE_EXTRA_CA_CERTS environment variable is only read when the Node.js process is first launched.
https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file


Evoko Home developers should add a function to trust any certificates from Windows certificates store.


Hope that it helps someone someday.

No comments:

Post a Comment