X509 证书错误代码

¥X509 certificate error codes

由于 OpenSSL 报告的证书错误,多个功能可能会失败。在这种情况下,该函数通过其回调提供 <Error>,该回调具有属性 code,该属性可以采用以下值之一:

¥Multiple functions can fail due to certificate errors that are reported by OpenSSL. In such a case, the function provides an <Error> via its callback that has the property code which can take one of the following values:

  • 'UNABLE_TO_GET_ISSUER_CERT':无法获得颁发者证书。

    ¥'UNABLE_TO_GET_ISSUER_CERT': Unable to get issuer certificate.

  • 'UNABLE_TO_GET_CRL':无法获得证书 CRL。

    ¥'UNABLE_TO_GET_CRL': Unable to get certificate CRL.

  • 'UNABLE_TO_DECRYPT_CERT_SIGNATURE':无法解密证书的签名。

    ¥'UNABLE_TO_DECRYPT_CERT_SIGNATURE': Unable to decrypt certificate's signature.

  • 'UNABLE_TO_DECRYPT_CRL_SIGNATURE':无法解密 CRL 的签名。

    ¥'UNABLE_TO_DECRYPT_CRL_SIGNATURE': Unable to decrypt CRL's signature.

  • 'UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY':无法解码发行者公钥。

    ¥'UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY': Unable to decode issuer public key.

  • 'CERT_SIGNATURE_FAILURE':证书签名失败。

    ¥'CERT_SIGNATURE_FAILURE': Certificate signature failure.

  • 'CRL_SIGNATURE_FAILURE':CRL 签名失败。

    ¥'CRL_SIGNATURE_FAILURE': CRL signature failure.

  • 'CERT_NOT_YET_VALID':证书尚未生效。

    ¥'CERT_NOT_YET_VALID': Certificate is not yet valid.

  • 'CERT_HAS_EXPIRED':证书已过期。

    ¥'CERT_HAS_EXPIRED': Certificate has expired.

  • 'CRL_NOT_YET_VALID':CRL 尚未生效。

    ¥'CRL_NOT_YET_VALID': CRL is not yet valid.

  • 'CRL_HAS_EXPIRED':CRL 已过期。

    ¥'CRL_HAS_EXPIRED': CRL has expired.

  • 'ERROR_IN_CERT_NOT_BEFORE_FIELD':证书的 notBefore 字段中的格式错误。

    ¥'ERROR_IN_CERT_NOT_BEFORE_FIELD': Format error in certificate's notBefore field.

  • 'ERROR_IN_CERT_NOT_AFTER_FIELD':证书的 notAfter 字段中的格式错误。

    ¥'ERROR_IN_CERT_NOT_AFTER_FIELD': Format error in certificate's notAfter field.

  • 'ERROR_IN_CRL_LAST_UPDATE_FIELD':CRL 的 lastUpdate 字段中的格式错误。

    ¥'ERROR_IN_CRL_LAST_UPDATE_FIELD': Format error in CRL's lastUpdate field.

  • 'ERROR_IN_CRL_NEXT_UPDATE_FIELD':CRL 的 nextUpdate 字段中的格式错误。

    ¥'ERROR_IN_CRL_NEXT_UPDATE_FIELD': Format error in CRL's nextUpdate field.

  • 'OUT_OF_MEM':内存不足。

    ¥'OUT_OF_MEM': Out of memory.

  • 'DEPTH_ZERO_SELF_SIGNED_CERT':自签名证书。

    ¥'DEPTH_ZERO_SELF_SIGNED_CERT': Self signed certificate.

  • 'SELF_SIGNED_CERT_IN_CHAIN':证书链中的自签名证书。

    ¥'SELF_SIGNED_CERT_IN_CHAIN': Self signed certificate in certificate chain.

  • 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY':无法获得本地颁发者证书。

    ¥'UNABLE_TO_GET_ISSUER_CERT_LOCALLY': Unable to get local issuer certificate.

  • 'UNABLE_TO_VERIFY_LEAF_SIGNATURE':无法验证第一个证书。

    ¥'UNABLE_TO_VERIFY_LEAF_SIGNATURE': Unable to verify the first certificate.

  • 'CERT_CHAIN_TOO_LONG':证书链太长。

    ¥'CERT_CHAIN_TOO_LONG': Certificate chain too long.

  • 'CERT_REVOKED':证书已撤销。

    ¥'CERT_REVOKED': Certificate revoked.

  • 'INVALID_CA':无效的 CA 证书。

    ¥'INVALID_CA': Invalid CA certificate.

  • 'PATH_LENGTH_EXCEEDED':超出路径长度限制。

    ¥'PATH_LENGTH_EXCEEDED': Path length constraint exceeded.

  • 'INVALID_PURPOSE':不支持的证书用途。

    ¥'INVALID_PURPOSE': Unsupported certificate purpose.

  • 'CERT_UNTRUSTED':证书不受信任。

    ¥'CERT_UNTRUSTED': Certificate not trusted.

  • 'CERT_REJECTED':证书被拒绝。

    ¥'CERT_REJECTED': Certificate rejected.

  • 'HOSTNAME_MISMATCH':主机名不匹配。

    ¥'HOSTNAME_MISMATCH': Hostname mismatch.

当出现 UNABLE_TO_VERIFY_LEAF_SIGNATUREDEPTH_ZERO_SELF_SIGNED_CERTUNABLE_TO_GET_ISSUER_CERT 等证书错误时,Node.js 会附加一个提示,建议如果根 CA 安装在本地,请尝试使用 --use-system-ca 标志运行,以引导开发者找到安全的解决方案,以防止不安全的解决方法。

¥When certificate errors like UNABLE_TO_VERIFY_LEAF_SIGNATURE, DEPTH_ZERO_SELF_SIGNED_CERT, or UNABLE_TO_GET_ISSUER_CERT occur, Node.js appends a hint suggesting that if the root CA is installed locally, try running with the --use-system-ca flag to direct developers towards a secure solution, to prevent unsafe workarounds.