Solve Cloudwatch Synthetic Canary self-signed certificate error

Encountered following error?

Error: self signed certificate in certificate chain Stack: Error: self signed certificate in certificate chain at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34) at TLSSocket.emit (events.js:400:28) at TLSSocket.emit (domain.js:475:12) at TLSSocket._finishInit (_tls_wrap.js:937:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12) at TLSWrap.callbackTrampoline (internal/async_hooks.js:130:17)

So have I !

While testing a new feature of AWS named Synthetic Canaries I encountered a problem with my API endpoint that used self-signed certificates. My canary would always fail purely because the certificate could not be validated. So I tried searching for an option on how to disable it and used the following to fix it.

Now first of all, the packages Synthetics and SyntheticsLogger are both modules that AWS themselves made but haven’t released through “normal” channels like npm. You can find the documentation on the AWS Documentation website.

When doing a quick search on certificate-options I came back empty handed. But I did notice one thing. The Synthetic package is dependent on HTTP from NodeJS itself, which resolves to the HTTPS package of NodeJS when encountering HTTPS urls which is dependent on the TLS package for the… TLS part.

Now this package has an option named rejectUnauthorized and the good news for us is that as the description tells us, this can skip the certification check.

If not false the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true. Default: true.

Alright! Good news was that while diagonally reading the http.request -> https.request -> tls… methods I noticed they all pass their options through to eachother so HTTP will also understand rejectUnauthorized.

So our code for our Synthetic request will look like

let requestOptionsStep1 = {
        hostname: '10.11.11.203',
        method: 'GET',
        path: '/healthy',
        port: '443',
        protocol: 'https:',
        body: "",
        headers: {},
        rejectUnauthorized: false
    };

And now it works without validating the certificate!