Unable to verify LEAF signature error in Groov Read or Write

Hello all, I have multiple Groov boxes (AR1, Epic, Server for Windows) that I use Node-Red to read or write to each others data stores. When I use self signed certificates on these devices, there are no problems. However when I use purchased SSL certificates (Network Solutions) I get the error, UNABLE_TO_VERIFY_LEAF_SIGNATURE

Any advice?

Are you using hostnames or IP addresses for this application?
Either way, if you’re using any kind of certificate authority you’ll likely need to set the Subject Alternate Name (SAN) and make sure those match up with the hostnames / IPs you’re using.

It’s a small part of a much more involved process and guide, but we have some info about it on the developer site here: Creating a Server Certificate for your groov EPIC(s) | Opto 22 Developer

1 Like

I tried with the DNS name originally and then the IP address. the SAN on the certificate shows the original CN but it also has a secondary, which is a www.xxx.xxx.com. I’ll need to update our DNS records to include a CNAME record but once I’ve completed this, I should have more info.

UPDATE:
I’ve added a CNAME record so that both Subject Alternative Names listed in the certificate resolve to a dns lookup. I still get the same LEAF Signature error.

I’ll review the guide you linked.

@Mick_McGuire
Mick,
have you had any luck in resolving this issue? I just had to update my Cert and am getting the same error and can’t figure out how to fix it.

@torchard and I are looking at fleshing out a groov/Node-RED certificate work-flow… Can you help us understand what you had working and what changed @SlimJim

You are on on an EPIC? And working with Node-RED on a PC? Or the other way around?
ie, what pieces and parts do you have where?
Is the cert you just changed a self signed cert generated by the EPIC?
Lastly, Im guessing, but you are getting the error from a groov IO node?

EDIT: Also are you on a local LAN for both devices? Are you using hostnames, domain names or IP address or a mix?

@Beno
Ben,
I’m on an Epic. I am working Node-RED from my PC. Both PC and Epic are on local LAN. I’m using mainly domain names but have also tried the IP that’s static with no success.
I am trying to grab the sunset and sunrise times from https://api.openweathermap.org/data/2.5/onecall?lat=33.999&lon=-117.338&units=imperial&appid=xxxxxxxxx
This worked up until my SSL Cert expired in March. I have been working with my IT team to install a new SSL Cert which we were able to achieve yesterday and this is when the UNABLE_TO_VERIFY_LEAF_SIGNATURE error started.

Ok, reading between the lines here…
Sounds like the openweather API is working fine the whole time (I edited your API key out BTW, not a good idea to publicly share that), ie both before and after the cert change.

What broke (I’m guessing) is the writing of the sun rise/set times to groov View data store on the EPIC?

The cert the IT guys helped you with… That was not a cert generated from the EPIC, but one they spun up and provided you?

My IT went in to the Epic SSL and created the Certificate in Groov Manage. Then they downloaded key and csr and then he requested a certificate on our private CA on our domain. Then uploaded it into the groov via groov manage.
My IT followed this guide:

The Cert is working but lost my Node-RED write capabilities.

Have you provided the path to the certificate to the Node-RED groov node configuration?

I tried but am not real clear on how to do it.

All I had to do since the node-RED and the Epic are on the same device is in the node change the address to localhost instead of the domain or IP address and now it is working.

That sounds about right.
Thanks for coming back and letting us know.

(We still intend to make a guide / video about the process).

2 Likes

This is weird to me since the domain and IP had always worked in the past and I am unsure why I had to make that change now.

Its due to the way the new cert was signed.

I have also found that *.mydomain.com wildcard certs can also cause this issue.