Not found because of proxy error: Error: unable to verify the first certificate

[jefftham]

hi, i have a website that created by angular.
visitors can open the website from browser.
however, i cannnot use cors-anywhere to redirect the request to that website.

https://stocks.yeadev.com/
as
https://cors-anywhere.herokuapp.com/https://stocks.yeadev.com/

but i can request it for https://www.google.com/ (a non SPA)
as
https://cors-anywhere.herokuapp.com/https://www.google.com/

[Rob--W]

CORS Anywhere only proxies requests (e.g. to access APIs or scrape websites that do not support CORS themselves). It is not a generic web proxy, and nor does not offer the ability to render sites. If you want to display SPAs, then you need to specifically parse the response body and load additional resources if needed.

[jefftham]

My purpose is to check the status of the server by doing long polling with http get request.

I code it in Vue.js as frontend. So I use CORS Anywhere to proxy the request.

Logically, "CORS Anywhere" supports simple "http get request" ?! It should just return anything from the website + CORS header?!

[Rob--W]

Logically, "CORS Anywhere" supports simple "http get request" ?! It should just return anything from the website + CORS header?!

That's the case (provided that the data is public of course, so not guarded by credentials such as cookies). If you believe that there is a bug on my service, please provide a test case that shows the problem, and also a test case that shows what should have happened.

[jefftham]

we can test in demo website.

https://robwu.nl/cors-anywhere.html

if you visit the an angular website from browser :
https://stocks.yeadev.com/
it will render as

However, if we use the demo website.
the result will be

[Rob--W]

The server uses a Let's Encrypt certificate.

Re-opening because this needs to be investigated.

[Rob--W]

It seems that the server is incorrectly configured. The command below shows that the response only includes the leaf certificate, and not any other certificates up to the chain of a root CA.

$ openssl s_client -connect stocks.yeadev.com:443 -servername stocks.yeadev.com
CONNECTED(00000003)
depth=0 CN = yeadev.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = yeadev.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=yeadev.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgISBMDoIRGvzvUrVgy1j9e4hp6iMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMDUwMjIzNDBaFw0x
ODAxMDMwMjIzNDBaMBUxEzARBgNVBAMTCnllYWRldi5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCviZwhWNVj+iNwZejRK9gB0ZZmt9lwYv6EVNdV
Pi9sRaGBY688QcqpsAoAxy+gGqNiM2pA5eZ83/KMzQP9KMCzVaU6LG67w2WegXaK
6FsfbZPel3xeP17RYbfGoov4Fr4df2UkQTEvFuMJCnFUQm9LwuftftZ9JdSDW7P8
qmmPiGRyrpdKbclCzgaYbeOmPgv+7eWnk0U7ZT6VT+svmdfuPUV35igZFJ/3Jmw2
8R5YsKbPtfqn4zY0E5T3D07/NvRAvpBn2IWZfFUtaMVXldgnz+a67Qwbjtk8Em/s
z8/SfvMefQ+dS9RxmVtaJB+IKpnoCls6aurQn8eNkqlXsvKVAgMBAAGjggI/MIIC
OzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFmEwRFbRxA3YgvPRZiSYskYVtciMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
SgYDVR0RBEMwQYIQc3RvY2sueWVhZGV2LmNvbYIRc3RvY2tzLnllYWRldi5jb22C
Dnd3dy55ZWFkZXYuY29tggp5ZWFkZXYuY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EM
AQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0
ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5k
IG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kg
Zm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJ
KoZIhvcNAQELBQADggEBAGadbYrBKS+9v/Txh0chXPwHU+yKic5r23KLFNj4HanI
JKsmt8MIC10R/xw4iQtn2fEXC6oZzMVp5aWlO+z5wFV39q5o0sO83O0tGw7HQJSp
Zl0q8LPteHGZsJZoMoYWey0B6ynEtsdlAVP1431gdKpEJUYTuv8yt03ZUJtJgjlj
/LOTAAvL67H34tc7uauX2i15mxw/F+1bQgZDqts4v4oY4LZf43HSJCehWZp/nqYC
8KWwXlEB6eGg4ioFHK5sUR/7Bjl9/16QqWG9DxLvtnfkGmawZoDenqCWmXxnqMWG
uetOTo3H9XcgK4Z6bCveRjVifqCHVTIntXP7MTb6pKA=
-----END CERTIFICATE-----
subject=/CN=yeadev.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2030 bytes and written 328 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 24E196FAC145CD0798359BEFF09D30886D406920AAE907C80E6AFBF27BE2B966
    Session-ID-ctx:
    Master-Key: 770B7EAB106C94A371109CECBB3C127D2F73C3C747376E343DF9769672CCBA49DEC1A2CAC34DFF557336F58E45755BC6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2d 01 4b 02 6f 84 4a b8-10 20 aa fd 80 45 1b f1   -.K.o.J.. ...E..
    0010 - 81 37 36 49 3b 65 3c 97-66 84 a3 86 09 53 3f d4   .76I;e<.f....S?.
    0020 - 21 b8 fb e6 d4 40 7a f2-e7 93 af f9 b1 ed 3a 71   !....@z.......:q
    0030 - aa 21 32 c7 82 59 e4 44-50 1a 18 6b c4 42 1c 67   .!2..Y.DP..k.B.g
    0040 - 02 03 a0 15 68 7c 44 e9-29 73 6b 42 42 7d 23 e4   ....h|D.)skBB}#.
    0050 - 09 00 81 f4 c0 9a 4f 08-90 61 72 8c 5c 1f b3 0c   ......O..ar.\...
    0060 - 5b 05 bc b1 29 cc c3 18-6c 9d 26 a5 e7 7c 2c 03   [...)...l.&..|,.
    0070 - 06 15 fd 92 57 32 e3 6b-94 70 4f 95 91 26 9c 6b   ....W2.k.pO..&.k
    0080 - 53 34 eb b9 6d a8 5a 4d-6f d8 c7 cf 2f 52 f1 ab   S4..m.ZMo.../R..
    0090 - 79 92 d7 65 fc ef 27 4d-b6 d6 65 95 5b 31 88 e1   y..e..'M..e.[1..
    00a0 - 96 c3 92 bb 30 a0 c2 0c-b9 ba 95 35 37 1c b6 63   ....0......57..c
    00b0 - 07 eb 1d c1 f4 67 42 f3-da 52 ec 8d 58 0b 48 92   .....gB..R..X.H.
    00c0 - 3f 2c 87 89 54 de cd 3d-b9 58 ee 15 a6 a1 32 56   ?,..T..=.X....2V

    Start Time: 1513761306
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

An example of a properly configured server that uses Let's Encrypt is:

$ openssl s_client -connect robwu.nl:443 -servername robwu.nl                 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = robwu.nl
verify return:1
---
Certificate chain
 0 s:/CN=robwu.nl
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

As the operator of the server I can disable certificate verification, but that removes any security guarantees provides by HTTPS, so I am not going to do that. The yeadev.com server administrators should properly configure their server, by returning the full certificate chain up to (but not necessarily including) the root CA.

[Rob--W]

The certificate also includes an "Authority Information Access" (AIA) field with the following value:

Not Critical
OCSP Responder: URI: http://ocsp.int-x3.letsencrypt.org
CA Issuers: URI: http://cert.int-x3.letsencrypt.org/

The last line could be used to look up additional information. Chrome implements AIA, that's why the site is correctly displayed in Chrome.
Intermediate certificates are not automatically fetched by Node.js (nodejs/node#16336), nor Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=399324). So if the intermediate certificate has not been cached yet, then the site won't be displayed properly.

To test in Firefox:

1. Start a new Firefox profile.
2. Visit https://stocks.yeadev.com
3. Observe that a certificate error occurs.
4. Visit https://robwu.nl (which also uses Let's Encrypt, and includes the same intermediate certificate as yeadev.com).
5. Visit https://stocks.yeadev.com
6. Observe that the site is now displayed as expected (because the intermediate certificate from step 4 was cached).

This is an issue with the site. The site should fix this. I suggest that you contact the operators of that website and point to this issue (in my previous comment I already explained at a high level what should be done).

[subasj0]

It seems that the server is incorrectly configured. The command below shows that the response only includes the leaf certificate, and not any other certificates up to the chain of a root CA.

$ openssl s_client -connect stocks.yeadev.com:443 -servername stocks.yeadev.com
CONNECTED(00000003)
depth=0 CN = yeadev.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = yeadev.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=yeadev.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgISBMDoIRGvzvUrVgy1j9e4hp6iMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMDUwMjIzNDBaFw0x
ODAxMDMwMjIzNDBaMBUxEzARBgNVBAMTCnllYWRldi5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCviZwhWNVj+iNwZejRK9gB0ZZmt9lwYv6EVNdV
Pi9sRaGBY688QcqpsAoAxy+gGqNiM2pA5eZ83/KMzQP9KMCzVaU6LG67w2WegXaK
6FsfbZPel3xeP17RYbfGoov4Fr4df2UkQTEvFuMJCnFUQm9LwuftftZ9JdSDW7P8
qmmPiGRyrpdKbclCzgaYbeOmPgv+7eWnk0U7ZT6VT+svmdfuPUV35igZFJ/3Jmw2
8R5YsKbPtfqn4zY0E5T3D07/NvRAvpBn2IWZfFUtaMVXldgnz+a67Qwbjtk8Em/s
z8/SfvMefQ+dS9RxmVtaJB+IKpnoCls6aurQn8eNkqlXsvKVAgMBAAGjggI/MIIC
OzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFmEwRFbRxA3YgvPRZiSYskYVtciMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
SgYDVR0RBEMwQYIQc3RvY2sueWVhZGV2LmNvbYIRc3RvY2tzLnllYWRldi5jb22C
Dnd3dy55ZWFkZXYuY29tggp5ZWFkZXYuY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EM
AQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0
ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5k
IG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kg
Zm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJ
KoZIhvcNAQELBQADggEBAGadbYrBKS+9v/Txh0chXPwHU+yKic5r23KLFNj4HanI
JKsmt8MIC10R/xw4iQtn2fEXC6oZzMVp5aWlO+z5wFV39q5o0sO83O0tGw7HQJSp
Zl0q8LPteHGZsJZoMoYWey0B6ynEtsdlAVP1431gdKpEJUYTuv8yt03ZUJtJgjlj
/LOTAAvL67H34tc7uauX2i15mxw/F+1bQgZDqts4v4oY4LZf43HSJCehWZp/nqYC
8KWwXlEB6eGg4ioFHK5sUR/7Bjl9/16QqWG9DxLvtnfkGmawZoDenqCWmXxnqMWG
uetOTo3H9XcgK4Z6bCveRjVifqCHVTIntXP7MTb6pKA=
-----END CERTIFICATE-----
subject=/CN=yeadev.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2030 bytes and written 328 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 24E196FAC145CD0798359BEFF09D30886D406920AAE907C80E6AFBF27BE2B966
    Session-ID-ctx:
    Master-Key: 770B7EAB106C94A371109CECBB3C127D2F73C3C747376E343DF9769672CCBA49DEC1A2CAC34DFF557336F58E45755BC6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2d 01 4b 02 6f 84 4a b8-10 20 aa fd 80 45 1b f1   -.K.o.J.. ...E..
    0010 - 81 37 36 49 3b 65 3c 97-66 84 a3 86 09 53 3f d4   .76I;e<.f....S?.
    0020 - 21 b8 fb e6 d4 40 7a f2-e7 93 af f9 b1 ed 3a 71   !....@z.......:q
    0030 - aa 21 32 c7 82 59 e4 44-50 1a 18 6b c4 42 1c 67   .!2..Y.DP..k.B.g
    0040 - 02 03 a0 15 68 7c 44 e9-29 73 6b 42 42 7d 23 e4   ....h|D.)skBB}#.
    0050 - 09 00 81 f4 c0 9a 4f 08-90 61 72 8c 5c 1f b3 0c   ......O..ar.\...
    0060 - 5b 05 bc b1 29 cc c3 18-6c 9d 26 a5 e7 7c 2c 03   [...)...l.&..|,.
    0070 - 06 15 fd 92 57 32 e3 6b-94 70 4f 95 91 26 9c 6b   ....W2.k.pO..&.k
    0080 - 53 34 eb b9 6d a8 5a 4d-6f d8 c7 cf 2f 52 f1 ab   S4..m.ZMo.../R..
    0090 - 79 92 d7 65 fc ef 27 4d-b6 d6 65 95 5b 31 88 e1   y..e..'M..e.[1..
    00a0 - 96 c3 92 bb 30 a0 c2 0c-b9 ba 95 35 37 1c b6 63   ....0......57..c
    00b0 - 07 eb 1d c1 f4 67 42 f3-da 52 ec 8d 58 0b 48 92   .....gB..R..X.H.
    00c0 - 3f 2c 87 89 54 de cd 3d-b9 58 ee 15 a6 a1 32 56   ?,..T..=.X....2V

    Start Time: 1513761306
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

An example of a properly configured server that uses Let's Encrypt is:

$ openssl s_client -connect robwu.nl:443 -servername robwu.nl                 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = robwu.nl
verify return:1
---
Certificate chain
 0 s:/CN=robwu.nl
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

As the operator of the server I can disable certificate verification, but that removes any security guarantees provides by HTTPS, so I am not going to do that. The yeadev.com server administrators should properly configure their server, by returning the full certificate chain up to (but not necessarily including) the root CA.

I understand that you cannot do changes but please tell how can i do it for me in my localhost if security is not an issue

[Rob--W]

As the operator of the server I can disable certificate verification, but that removes any security guarantees provides by HTTPS, so I am not going to do that. The yeadev.com server administrators should properly configure their server, by returning the full certificate chain up to (but not necessarily including) the root CA.

I understand that you cannot do changes but please tell how can i do it for me in my localhost if security is not an issue

See https://github.com/Rob--W/cors-anywhere/issues/16#issuecomment-64266444