Certificate Errors in Meteor commands (before v1.9 only)

Hi, if you are getting errors like Connection error (certificate has expired) when running Meteor commands it means that you are running a version of Meteor older than v1.9.

Node.js before 10 (and Meteor before 1.9) doesn’t include Let’s Encrypt’s newest root certificate.

This is why these commands are failing.

A workaround, for now, is to run all the meteor commands with the following environment variable NODE_TLS_REJECT_UNAUTHORIZED, for example in the deploy command:

NODE_TLS_REJECT_UNAUTHORIZED=0 meteor deploy .....

We are investigating if we can find a better workaround for this problem that is affecting old Meteor versions.

Also note that if you are running old distributions, like Ubuntu 16 and before, locally, or in any of your CI pipelines you may also face this issue. In this case, we do recommend updating your distribution, or your local repository of root certificates (the how-to of this varies based on your distribution).

If your server is accessing external let’s encrypt resources with an old Meteor version, you will also need to add NODE_TLS_REJECT_UNAUTHORIZED to your container env, using your settings file.

  "galaxy.meteor.com": {
    "env": {
      "NODE_TLS_REJECT_UNAUTHORIZED": "0"
    }
  },
6 Likes

We’ve posted a full page in our docs explaining about this error and also errors that you can get in Meteor apps that use Let’s Encrypt certificates:

1 Like

chinitotuchman (Ryan Chan) · GitHub and I found that Meteor CLI, since this commit Patch to allow users to override root cert list · meteor/meteor@0aa1291 · GitHub, allows us to provide a CAFILE for the CLI to use. It seems that this commit was in our 1.6.1.4 version of meteor.

We upgraded our Ubuntu to one that has the new ISRG Root X1 cert (18.04 bionic) and installed the ca-certificates package.

apt-get install -y ca-certificates

Pointed it at that .pem file:

ENV CAFILE="/etc/ssl/certs/ISRG_Root_X1.pem"

in our Dockerfile.

Then installed the version of Node that we needed to have for our Meteor 1.6.1.4 version.

Works great so far!

2 Likes

Wow, nice find! That’s just what we needed since we are using an older Meteor version.

This definitely seems like a better work around than NODE_TLS_REJECT_UNAUTHORIZED

Feel free to add more options to our docs.

You can see a Edit on Github button in the bottom of every page. :wink:

Done. Using CAFILE environment variable to fix TLS issues by Vinlock · Pull Request #760 · meteor/docs · GitHub