Fail to verify certificate in development update calls

I am using localhost subdomains in development, so my URLs look like this: http://ryjl3-tyaaa-aaaaa-aaaba-cai.localhost:8000/

I need to do this to use ES modules natively while in development, because native ES modules do not set the Referer properly for the IC (there is no canisterId query parameter).

This has been working fine so far, but I just tried to do an update call for the first time from the frontend, and I keep getting this error message in response:

{
  "message": "Fail to verify certificate",
  "stack": "Error: Fail to verify certificate\n    at pollForResponse (http://ryjl3-tyaaa-aaaaa-aaaba-cai.localhost:8000/_snowpack/pkg/@dfinity/agent.js:13815:15)\n    at async caller (http://ryjl3-tyaaa-aaaaa-aaaba-cai.localhost:8000/_snowpack/pkg/@dfinity/agent.js:14000:35)\n    at async graphQLFetcher (http://ryjl3-tyaaa-aaaaa-aaaba-cai.localhost:8000/:39:21)"
}

I assume this is because I am using localhost subdomains, and the certificate verification process is not looking for that…perhaps?

More information about why I am using localhost subdomains: How does replica know which canister to serve from - #9 by nomeata

1 Like

I’m pretty sure that this is caused by the new update that hardcodes the mainnet rootkey into the HttpAgent. After initializing, you can call agent.fetchRootKey() to use the signature of your local replica.

We have an open improvement item to automatically do this during local development, and I apologize for pushing that responsibility out onto the developer in the meantime

5 Likes

This worked! Thank you

Note that ideally you should not be calling .fetchRootKey() in the production build that you upload to the Internet Computer, else you lose the security properties of update call repsonses, i.e. a man-in-the-middle attack could forge the certificates.

4 Likes

Duly noted, thank you

Where should we put this call if we are running the local identity service? This is what I’m running into with Running locally: Fail to verify certificate · Issue #291 · dfinity/internet-identity · GitHub

I stuck it a couple of places in iiConnection.ts. Looks like it is routed around in prod and for some reason, the identity project builds in production mode.

I’m not sure what your code looks like, but I put the call (it’s asynchronous so make sure to wait for the promise to resolve) before my own update call