You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use puppeteer.connect({ browserWSEndpoint: 'wss://chrome.browserless.io' })
Receive SSL error since we (possibly most sites?) won't have an IP addresses in the HTTPS altnames:
I've traced it to this diff: https://github.com/puppeteer/puppeteer/compare/v14.1.2...v14.2.0#diff-483229840b8c0a75e846133dc211986ef957c8f103789a2f82edb47693242dafR22. I'm not sure if it's a good/standard practice to add an IP to altnames in these certificates or if it's something that bigger tools (like certbot) allow, but found it an oddity myself. It's possible an attacker could obtain that IP address and start handling requests with an IP versus trying to take over the DNS entry -- so I'm skeptical adding IP addresses to the altnames should be the solution here. We use a pretty "vanilla" letsencrypt setup, and I'm sure many others will run into this issue as well.
[Symbol(kError)]: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list:
at new NodeError (node:internal/errors:371:5)
at Object.checkServerIdentity (node:tls:346:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1540:27)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
reason: "IP: 159.89.220.85 is not in the cert's list: ",
host: '159.89.220.85',
Puppeteer version
14.2.1
Node.js version
16.13.2
npm version
8.1.2
What operating system are you seeing the problem on?
macOS
Relevant log output
ErrorEvent {
[Symbol(kTarget)]: WebSocket {
_events: [Object: null prototype] { open: [Function], error: [Function] },
_eventsCount: 2,
_maxListeners: undefined,
_binaryType: 'nodebuffer',
_closeCode: 1006,
_closeFrameReceived: false,
_closeFrameSent: false,
_closeMessage: <Buffer >,
_closeTimer: null,
_extensions: {},
_paused: false,
_protocol: '',
_readyState: 3,
_receiver: null,
_sender: null,
_socket: null,
_bufferedAmount: 0,
_isServer: false,
_redirects: 0,
_url: 'wss://159.89.220.85/?token=70abbadb-66e8-45cd-9c02-0bfb7457dd99',
_originalSecure: true,
_originalHost: '159.89.220.85',
_req: null,
[Symbol(kCapture)]: false
},
[Symbol(kType)]: 'error',
[Symbol(kError)]: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list:
at new NodeError (node:internal/errors:371:5)
at Object.checkServerIdentity (node:tls:346:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1540:27)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
reason: "IP: 159.89.220.85 is not in the cert's list: ",
host: '159.89.220.85',
cert: {
subject: [Object: null prototype],
issuer: [Object: null prototype],
subjectaltname: 'DNS:api.browserless.io, DNS:chrome.browserless.io',
infoAccess: [Object: null prototype],
modulus: '9A3B34794B6BF030D3A27176999C920A936AF028BE5ACE27E0A3B3310B337468F7CA346FDD24E839AEBCD52F0BAA155341496D47FEC7CC027060AAEEBD9E63803DB748AA95C4FD20B864D80C31C6FC0E51681D1CD0F62FF744DC6BE2743D76648C23A37DFB0F226DA8E947D574A7ECC80F7B0DB509F476AF70050D44B87F7CE649ABAB6973D7329A75FA2CC704D0F30AF8938D5F0974E0A2E0727D81A9719FE61E169E4933D09047A72F92E2C49BC226708C4FE72CC3885CE1786901C7DC3985C4BA56E78590E3DBC3D6F6F5D439CEFA446EC8B09C82D2C9A4737C4181753DF54862B1155F18409C4652A3CDF9627F6BCAC9C799CAAE5C910432F389AD9B0B07',
bits: 2048,
exponent: '0x10001',
pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9a 3b 34 79 4b 6b f0 30 d3 a2 71 76 99 9c 92 0a 93 ... 244 more bytes>,
valid_from: 'Jun 2 09:44:48 2022 GMT',
valid_to: 'Aug 31 09:44:47 2022 GMT',
fingerprint: '54:3C:76:19:B6:0C:97:FF:C9:72:DF:15:6B:18:F7:8E:44:DD:E6:8A',
fingerprint256: '69:9B:7B:68:DB:DE:A6:FB:04:8D:3F:36:21:6A:73:9A:CF:A9:5C:6F:1A:75:A2:95:B4:C0:4F:F5:8D:FB:2E:5B',
ext_key_usage: [Array],
serialNumber: '0313FAD85AA3EB3BA9DB9BD144A3E1FC6B83',
raw: <Buffer 30 82 05 44 30 82 04 2c a0 03 02 01 02 02 12 03 13 fa d8 5a a3 eb 3b a9 db 9b d1 44 a3 e1 fc 6b 83 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 32 ... 1302 more bytes>,
issuerCertificate: [Object]
},
code: 'ERR_TLS_CERT_ALTNAME_INVALID'
},
[Symbol(kMessage)]: "Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list: "
}
The text was updated successfully, but these errors were encountered:
Sorry about this! We'll get the fix up and running in the next release. For now, please freeze 14.2.0 and wait till the next release (next week Monday)!
Bug description
Steps to reproduce the problem:
puppeteer.connect({ browserWSEndpoint: 'wss://chrome.browserless.io' })
I've traced it to this diff:
https://github.com/puppeteer/puppeteer/compare/v14.1.2...v14.2.0#diff-483229840b8c0a75e846133dc211986ef957c8f103789a2f82edb47693242dafR22
. I'm not sure if it's a good/standard practice to add an IP to altnames in these certificates or if it's something that bigger tools (like certbot) allow, but found it an oddity myself. It's possible an attacker could obtain that IP address and start handling requests with an IP versus trying to take over the DNS entry -- so I'm skeptical adding IP addresses to the altnames should be the solution here. We use a pretty "vanilla" letsencrypt setup, and I'm sure many others will run into this issue as well.Here's a snippet of some code:
Which produces (shortened):
Puppeteer version
14.2.1
Node.js version
16.13.2
npm version
8.1.2
What operating system are you seeing the problem on?
macOS
Relevant log output
The text was updated successfully, but these errors were encountered: