ESET SSL protection produces an invalid certificate chain for NodeJS apps

[itman 1,668]

Has anyone tried this pointing to Eset root CA cert.?

Quote

I just found a solution, in the terminal when you are starting up the server I just had to include the directory of the rootCA.pem file:

HTTPS=true NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem" npm run dev

https://github.com/FiloSottile/mkcert/issues/563

I also believe the Eset cert. needs to be exported and converted to .pem format and then stored somewhere.

Also, NODE_EXTRA_CA_CERTS can be deployed via environment variable as shown in this example: https://doc.sitecore.com/xp/en/developers/hd/19/sitecore-headless-development/walkthrough--configuring-sitecore-ca-certificates-for-node-js.html

Edited April 20 by itman

[Guest Christopher Boisvert]

I have the same version of Eset Node 32 as all of you and I have the same error. What is the recommended solution for this with the minimal security surface area that is opened. I saw multiple answer but can't see exactly the one that would just fix those two commands for me :

yarn install

yarn upgrade 

The default behavior of yarn was modified by Eset Nod 32 without informing any customer. I think this is a bad move by Eset because it blocked me from working.

[Guest ratrakone]

Same problem here. I'm u sing ESET Endpoint Security v. 11.0.2044.0.

It's been 3 days, that's thousands of euro, this is not a joke request.

[Guest Alexx]

I have read all the articles on the web related with this error. I have also paid for Medium membership to read some premium posts. Disabling the antivirus did not solved this issue, so I thought the problem was on my pc. I ended up reinstalling windows from 0 thinking it was a virus or some bad internal bug, reinstalling all the apps. Suddenly I realized it was eset fault. I have lost money and the whole weekend trying to figure out this issue. This is not acceptable. I have removed the antivirus from my pc and will wait for a response on your side. Hope it solves soon.

[Guest The Last Byte]

This is a massive issue, c'mon ESET - you cannot leave this unsolved for so long.

For individuals who wasted their day who are on Windows 10 or similar, here is what I did: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix

For those managing dozens, hundreds, more computers, this could be a disaster.  I really hope an official solution is not far away - as this doesn't build customer trust.

[Guest An angry customer]

This IS a massive issue. It cost me 2 days of work to find this thread and see that ESET is causing this issue! I'm a long time user but this is unacceptable. I also raised a support ticket. Please fix it ASAP

[Guest Joseph]

On 4/19/2024 at 1:45 PM, Marcos said:

It is not actually a bug, we merely started to scan nodejs communication in order to detect nodejs malware payload.

👋 Hi Marcos! New ESET customer here.

I really appreciate the focus on supply chain malware protection. That said, making npm inoperative is a pretty serious goof. We can disagree on whether this is a bug, but I hope you'll agree it's at least unacceptably disruptive.

Could you let me know what the plans are for addressing this issue? Any timeline details would be especially helpful. I ask because we've got a software release scheduled for tomorrow and I'm pretty sure this issue will cause our build process to fail.

Just a heads-up, a lot of us who rely on npm working seamlessly also have a say in our companies' cybersecurity budgets. 😁 Looking forward to your swift response!

[Guest Szabi]

I thought I'd leave a comment here as well, since many people find this thread.

The fix detailed by @The Last Byte seems to work, but it needs a bit more work in some cases.
Original fix here: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix 
Notes and minor fixes: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix/issues/1

[Guest Pachomar]

6 hours ago, Guest Alexx said:

I have read all the articles on the web related with this error. I have also paid for Medium membership to read some premium posts. Disabling the antivirus did not solved this issue, so I thought the problem was on my pc. I ended up reinstalling windows from 0 thinking it was a virus or some bad internal bug, reinstalling all the apps. Suddenly I realized it was eset fault. I have lost money and the whole weekend trying to figure out this issue. This is not acceptable. I have removed the antivirus from my pc and will wait for a response on your side. Hope it solves soon.

This exactly, I had a release on Friday that had to be postponed because I wasn't able to properly build our app. And since this was a stealth "feature" I wasn't able to figure out what the issue was until I formatted my pc and started installing stuff one by one again. You can't have this kind of behavior towards your paying customers. Now ?m seriously thinking on switching to other antivirus

[Guest Annoyed customer]

We've lost many hours of development time due to this bug.

Turning of HTTPS scanning as mentioned by "Guest Siemer" solved the issue.

The whole dev team has lost trust in ESET due to this and it will be hard to regain that trust. I hope ESET realizes that.

[Guest Chris]

Setting an environment variable or passing an extra flag to node is not a solution, as it is not always possible to change them (e.g. in applications that use node). ESET should fix this in a way that will not require any user intervention.

[Guest Former Customer]

Having lost more than 3 days of work, all I have to say is that I'll start searching for a new antivirus after this. Sad, I never had any complains for ESET, but 3+ days of work translated to money is a LOT of years of subscription they won't have from me again after this

[Marcos 5,090]

This Quick questions forum is for guests and does not require registration as it serves only for quick questions. It was not meant for reporting issues according to this forum rules:

4, Ask only simple questions. If you want to report an issue, inquire about your license, etc., create a forum account first. This forum is not intended for lengthy discussions.

A correct procedure for reporting issues is by raising a support ticket. Should you want to report an issue in this forum in the future, please sign up first and make a post in the appropriate product forum.

As for the issue, the whole problem is that Nodejs does not use the system trusted root CA certificate store while there is a bunch of Nodejs malware that our and other AV users want to be protected against at the network level. We hope that Nodejs will use the system TRCA cert. store in the future to allow that.

We have provided possible workarounds in this topic.  We have reported the issue to developers on Friday, ie. today is the first work day since the report. We are already testing Internet protection module 1475.1 with a fix which will be available on the pre-release update channel shortly, with release on the regular update channel to follow soon.

[Guest Anon]

Please, just let us know when it is fixed so we can reinstall the AV.

Thanks!

[Marcos 5,090]

You can update from the pre-release update channel to get Internet protection module 1475.1 or wait until it's updated automatically from the regular update channel.

[Guest kevin morizur]

I confirm that pre update 1475 is fixing certificate problem. Do you have any idea about when it will be officialy released ?

[Marcos 5,090]

We expect it to be released gradually in the following days.

[itman 1,668]

2 hours ago, Marcos said:

You can update from the pre-release update channel to get Internet protection module 1475.1 or wait until it's updated automatically from the regular update channel.

And what is the fix? To not SSL/TLS scan node.js apps?

[Guest Warren]

Quote

4, Ask only simple questions. If you want to report an issue, inquire about your license, etc., create a forum account first. This forum is not intended for lengthy discussions.

A correct procedure for reporting issues is by raising a support ticket. Should you want to report an issue in this forum in the future, please sign up first and make a post in the appropriate product forum.

The OP isn't even a customer of yours and took the time to carefully explain the issue your software has created, probably in the hopes that you'd go "oh ****, that's bad, lets get it sorted pronto"

Quote

As for the issue, the whole problem is that Nodejs does not use the system trusted root CA certificate store while there is a bunch of Nodejs malware that our and other AV users want to be protected against at the network level. We hope that Nodejs will use the system TRCA cert. store in the future to allow that.

You have to work with the software that's released not some imaginary version that has the behaviour you want it to.

Quote

We have provided possible workarounds in this topic. 

The workarounds provided are not practical in many use cases (Github actions for instance) or reduce security from what was available prior to this new feature being implemented.

Quote

We have reported the issue to developers on Friday, ie. today is the first work day since the report. We are already testing Internet protection module 1475.1 with a fix which will be available on the pre-release update channel shortly, with release on the regular update channel to follow soon.

Thread opened: "Posted Thursday at 08:14 AM". We began experiencing this issue on Wednesday 17th, so today is the fourth business day and sixth day and we still don't have a satisfactory fix with assurances that the same mistake won't be made again.

Overall I have to say that I am very concerned about the attitude presented to the disruption caused by the implementation of this stealth feature.

Many of the people posting here are developers and we all know that mistakes happen and that things can get missed. But this is leaving us anxious that ESET considers it everyone else's responsibility to correct it when they implement changes that take business critical systems down.

[Guest Anon]

Thanks Warren. I agree with everything you have said.

[Guest MaxPog]

Good luck to everyone. There was the same error:

$ npx express-generator
npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! errno UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! request to https://registry.npmjs.org/express-generator failed, reason: unable to verify the first certificate

npm ERR! A complete log of this run can be found in: C:\Users\*****\AppData\Local\npm-cache\_logs\2024-04-23T11_02_57_824Z-debug-0.log

 

After updating from the test servers, another error appeared:

$ npx express-generator
npm ERR! code ENOENT
npm ERR! syscall lstat
npm ERR! path C:\Users\*****\AppData\Roaming\npm
npm ERR! errno -4058
npm ERR! enoent ENOENT: no such file or directory, lstat 'C:\Users\*****\AppData\Roaming\npm'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent

npm ERR! A complete log of this run can be found in: C:\Users\*****\AppData\Local\npm-cache\_logs\2024-04-23T11_22_27_353Z-debug-0.log

Reinstalling NodeJs didn't fix anything. What to do?

[Marcos 5,090]

Just now, Guest MaxPog said:

Reinstalling NodeJs didn't fix anything. What to do?

If disabling SSL/TLS filtering doesn't make any difference, then it should be unrelated to ESET.

[itman 1,668]

2 hours ago, Guest MaxPog said:

Good luck to everyone. There was the same error:

Did you receive these errors when running Eset Endpoint pre-release ver. which includes the Internet module fix?

[itman 1,668]

On 4/22/2024 at 7:08 AM, Marcos said:

We hope that Nodejs will use the system TRCA cert. store in the future to allow that.

Per the following, appears this is in-progress. However, it will require user intervention to implement;

Quote

In OpenSSL 3.2, support was added to use the Windows cert store as OpenSSL's CA store. While node currently doesn't use 3.2, when it eventually makes the move I would suggest defaulting the cert store to org.openssl.winstore:// - allowing any CA root certs to be picked up from the system.

https://github.com/nodejs/node/issues/51537

[Guest Kyle]

I'm also experiencing this issue and it has disrupted some client work. When can we expect a fix? I updated ESET as of today and still this is a problem.

Also, your captcha is hilariously bad.