self-signed-ssl | Generate self-signed TLS certificate using OpenSSL | TLS library

unable to get local issuer certificate

To resolve this issue, you could try to manually acquire the version of NuGet.exe you wish to use (like nuget.exe v5.9.1) and put it on the private agent in a folder that's on the PATH.

• Download NuGet.exe tool to that agent machine manually(e.g. d:\tool\nuget.exe).
• Open System Properties window > Advance > Environment variables.
• In System variables section, click New button > Variable name: nuget; Variable value: d:\tool > Click Ok.
• Select Path variable > Edit > add/append %nuget% item (the result will be xxxx;%nuget%) Restart your machine.

After that you can remove NuGet Tool Installer task from build definition.

If it not work for you, try to running ".\externals\nuget\nuget.exe update -self" for the private agent install folder on the agent machine and getting an update version, it works again with the local certificate store:

You could check this thread for some more details.

I could eventually make everything work - sharing the same here, just in case it will be useful for anyone else in future.

The solution is quite simple, something that I had tried initially, but had made a minor mistake while trying. Anyways, here goes the solution:

1. Access the URL (huggingface.co URL in my case) from browser and access the certificate that accompanies the site.
   a. In most browsers (chrome / firefox / edge), you would be able to access it by clicking on the "Lock" icon in the address bar.

2. Save all the certificates - all the way up to the root certificate.
   a. I think, technically, you can just save the root certificate and it will still work, but I have not tried that. I may update this, if I get around to try this out. If you happen to try it before me, please do comment.

3. Follow the steps mentioned in this stack overflow answer to fetch the CA Bundle and open it up in an editor to append the file with the certificates downloaded in the previous step.
   a. The original CA bundle file has heading lines before each certificate, mentioning which CA root the certificate belongs to. This is not needed for the certificates we want to add. I had done this and I guess an extra space, carriage return etc. may have caused it to not work for me earlier.

4. In my python program, I updated the environment variable to point to the updated CA root bundle

   os.environ['REQUESTS_CA_BUNDLE'] = 'path/cacert.crt'

One may think that since most python packages use "requests" to make such GET calls and "requests" uses the certificates pointed by the "certifi" package. So, why not find the location of the certificates pointed by certifi and update that. The issue with that it - whenever you update a package using conda, certifi may get updated as well, resulting in your changes to be washed away. Hence, I found dynamically updating the environment variable to be a better option.

Cheers

From my limited as well experience so far with nginx, you need to add the following lines in the nginx default: ssl on; server_name your.domain.com; ssl_certificate /domain1/ssl-bundle.crt; ssl_certificate_key /domain1/server.key;

Also, in the default, you would need to add the location details for your nodejs server: location / { proxy_pass http://yourip:port/route; }

Lastly, I am not using certificates within my nodejs,it is an HTTP one, instead I let nginx handle those. The bundle.crt, contains both the rootca and public certificate as it is a self signed one in the above example.

It looks like you used a key algorithm to generate your cert that isn't supported by Amazon ELB.

Regenerate the cert with RSA 2048 instead of 4096 and you should be good to go.

https://aws.amazon.com/premiumsupport/knowledge-center/elb-ssl-tls-certificate-https/

I used vagrant and sternpunkt/jimmybox. In previous version there was issue with ssl. Version 3.0.1 works.

Can you try, export NODE_TLS_REJECT_UNAUTHORIZED=0 on the command line? This sets the property globally rather than process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; which set the property to that particular process. Hope you also executed npm config set strict-ssl false.

I finally figured it out. The certificate is missing a DNS subject alternative name.

Once I generated a new certificate with that it worked perfectly.

For those who might need it, heres my ssl.cnf