Resolve Unable to Verify Leaf Signature Issue

During the development of Sitecore Headless (formerly known as Sitecore JSS), many encounter an issue labeled "Unable to Verify Leaf Signature." A common solution suggested by most is to disable secure verification during local development by setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' in the local frontend application.

When encountering the issue during deployment of items from the frontend to Sitecore using "jss deploy," resolving it by setting the "--acceptCertificate" value to the SSL certificate thumbprint can effectively address the problem.

However, it's important to note that Sitecore documentation indicates these steps are intended for temporary use during local development. For environments like UAT or production, it's crucial to implement proper procedures and, more importantly, understand the underlying issue.

Why this Issue occurred ?

The error Unable to verify the first certificate means that the local node server we are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to us.

First, try sending the request with the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 set. That should work, confirming the rest of our setup is correct.

We may be able to fix this by changing local node server setup to provide a different certificate, one which embeds the full chain.

Configuring CA (Certificate Authority) Certificates for Node.js

In local environments, Sitecore instances often use privately signed certificates which may be rejected by Node.js due to their root CAs not being recognized. To resolve this, Node.js allows for the addition of well-known extra certificates using the NODE_EXTRA_CA_CERTS environment variable. This enables Node.js to recognize and trust these certificates, ensuring secure communication with the Sitecore instance during development.

Step 1: Go to Certificate Manager and see the Trusted Root Certificate Authorities folder, we will have Sitecore Installation Framework certificate installed in it.

Step 2: Right click the certificate and Click export

Step 3: Certificate Export Wizard popup will open, Click Next to proceed

Step 4: Choose "Base-64 encoded X.509 (.CER)" format

Step 5: Choose the location and enter the filename with ".cer" format.

Set the Certificates to Node.js environment

Open command prompt and run the below command locally

setx NODE_EXTRA_CA_CERTS <file>        

Once you done the above step, need to add the below command in "jss:connected" property in package.json.

"start:connected": "cross-env-shell PORT=3002 NODE_ENV=development NODE_EXTRA_CA_CERTS=\"<filepath>\"        

After completing the above step, restart your local system and reconnect. You should no longer encounter any leaf signature issues during communication between your local Sitecore instance and the local frontend application. This ensures smooth and secure interaction between the two components in your development environment.

Thanks for reading this Article.

Happy Sitecoring !!!