workers-sdk: 🐛 BUG: Wrangler dev fails to fetch()

Which Cloudflare product(s) does this pertain to?

Wrangler

What version of `Wrangler` are you using?

3.0.0

What operating system are you using?

Windows 10

Describe the Bug

After updating to the latest version, fetch API calls started to fail in wrangler dev. Fails on any website, even the mighty google.com Rolled back to v2.19.0 - everything works fine again. A bit more of the context: I’m using fetch to call WIX’es REST API, via https, as expected. The 3.0 version seems much faster, so I assume that some serious changes were applied under the hood. Sometimes I can see mention of WSA in this error messages, and WSA is a part of Windows networking APIs, somewhat suspicions to me to see it here. Well, I haven’t rebooted my system after updating, we’re not in 1999, shouldn’t be the cause of the problem, huh 😁

Screenshot:

About this issue

Original URL
State: closed
Created a year ago
Reactions: 14
Comments: 16 (2 by maintainers)

Commits related to this issue

Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable the system trust store. Unfortunately, this doesn't work on Windows, meaning ... — committed to cloudflare/miniflare by mrbbot a year ago
Trust CA root certificates on Windows and `NODE_EXTRA_CA_CERTS` (#587) * Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable ... — committed to cloudflare/miniflare by mrbbot a year ago
fix: update miniflare dependency to resolve HTTPS bug on Windows Closes #3264 Closes #3218 — committed to petebacondarwin/wrangler2 by petebacondarwin a year ago
Trust CA root certificates on Windows and `NODE_EXTRA_CA_CERTS` (#587) * Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable ... — committed to cloudflare/workers-sdk by mrbbot a year ago
Trust CA root certificates on Windows and `NODE_EXTRA_CA_CERTS` (#587) * Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable ... — committed to cloudflare/workers-sdk by mrbbot a year ago
Trust CA root certificates on Windows and `NODE_EXTRA_CA_CERTS` (#587) * Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable ... — committed to cloudflare/workers-sdk by mrbbot a year ago
Trust CA root certificates on Windows and `NODE_EXTRA_CA_CERTS` (#587) * Use Node's root certificates on Windows `workerd`'s `trustBrowserCas` uses `SSL_CTX_set_default_verify_paths()` to enable ... — committed to cloudflare/workers-sdk by mrbbot a year ago

Most upvoted comments

For the error failed: TLS peer's certificate is not trusted; reason = unable to get local issuer certificate I found that you can export SSL_CERT_FILE to get around this problem. In my case I run export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt.

I use NixOS, and have created a reproduction at scottwillmoore/cloudflare-workers-with-nix.

EDIT: My reproduction uses wrangler@3.3.0.

scottwillmoore on Jul 20, 2023

@mrbbot appreciate the update, unfortunately even the latest miniflare (3.0.2) doesn’t seem to solve the issue either.

└─┬ wrangler@3.1.1
  └── miniflare@3.0.2

bryanlatten on Jul 11, 2023

Same here, unable to use plain “wrangler dev” after uprading to 3.0.0. Using Windows 11.

My app also uses fetch() to external APIs.

Using “wrangler dev --remote” appears to work with 3.0.0.

workerd/jsg/util.c++:276: error: e = kj/compat/tls.c++:215: failed: TLS peer's certificate is not trusted; reason = self signed certificate in certificate chain                      
stack: 7ff769b98a6f 7ff769bdc9dd 0 0 0 0 0 0 0 0 0 0; sentryErrorContext = jsgInternalError

kristjanmar on May 20, 2023

Hey everyone! 👋 This should be fixed with miniflare@3.0.1. wrangler’s version constraint for miniflare is ^3.0.0, so you should be able to run npm update miniflare to get the latest version and fix the issue now. We’ll release a version of Wrangler with miniflare@3.0.1 set as the minimum version soon. 👍

mrbbot on Jul 11, 2023

im using cloudlflare queues, and --remote does not support queues yet 😦 ==> https://github.com/cloudflare/workerd/issues/855

catch22 ==> im dead in the water here… please help

alexdoan102 on Jul 11, 2023

Hey! 👋 Thanks for raising this. I think this issue only affects secure https: fetch()es on Windows. Will try get this fixed. 👍 For now, you may want to use wrangler dev --remote which runs your Worker on the Cloudflare network, or stay on Wrangler 2 and use wrangler dev --local for local development.

mrbbot on Jul 11, 2023

if its any clue - it seems exacerbated when I attempt to run workers in the background

bryanlatten on Jun 26, 2023

Reading between the lines of the linked PR cloudflare/workers-sdk#3352, I was able to work around this by adding the following to my package.json:

  "resolutions": {
    "miniflare": "3.0.1"
  }

Probably not the best idea to pin it like this long term, but it allowed me to get back to work.

bennor-akqa on Jul 11, 2023

Same issue, Wrangler 3.0.0, local, Windows 11. Command wrangler pages dev

RichiCoder1 on May 22, 2023

Wanted to also add this popus up during try/catch

workerd/jsg/util.c++:276: error: e = kj/compat/tls.c++:215: failed: TLS peer's certificate is not trusted; reason = unable to get local issuer certificate
stack: 7ff76b8e8a6f 7ff76b92c9dd 0 0 0 0 0 0 0 0 0 0; sentryErrorContext = jsgInternalError

but when the whole worker response itself wraps up, it also emits

workerd/jsg/util.c++:276: error: e = kj/async-io-win32.c++:294: failed: ConnectEx(): cloudflare/workers-sdk#1225 The remote computer refused the network connection.
stack: 7ff76b8e8950 0 0 0 0 0 0 0 0 0 0 0 0 0 7ff76b8f6234; sentryErrorContext = jsgInternalError

Also WSL (Ubuntu 22) on the same computer works just fine

demosjarco on Jul 11, 2023