node.jsopensslvercelprivate-keynode-crypto

ERR_OSSL_UNSUPPORTED using octokit in vercel deployment


I use nuxt (nitro as backend) and have an error in one of my endpoints which is the callback endpoint for a github app installation. In that endpoint I just import user data into our database.

I don't get it, the github app runs on vercel too, and I added the privateKey the same way as I did now. This has to have to do with octokit. All of the secrets are valid, I checked like 5 times. What is wrong here?

My environment in production:

The function that causes the error:

const { data: installation } = await octokit.rest.apps.getInstallation({
  installation_id: installationId
})

Everything works fine locally, but when I deploy it on vercel, I get the following error:

Error: error:1E08010C:DECODER routines::unsupported
    at createPrivateKey (node:internal/crypto/keys:632:12)
    at convertPrivateKey (file:///var/task/node_modules/universal-github-app-jwt/lib/crypto-node.js:11:10)
    at getToken (file:///var/task/node_modules/universal-github-app-jwt/lib/get-token.js:19:31)
    at githubAppJwt (file:///var/task/node_modules/universal-github-app-jwt/index.js:32:23)
    at getAppAuthentication (file:///var/task/node_modules/@octokit/auth-app/dist-node/index.js:14:37)
    at hook (file:///var/task/node_modules/@octokit/auth-app/dist-node/index.js:315:37)
    at async requestWithGraphqlErrorHandling (file:///var/task/node_modules/@octokit/plugin-retry/dist-bundle/index.js:36:20)
    at async Job.doExecute (/var/task/node_modules/bottleneck/light.js:405:18) {
  library: 'DECODER routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_UNSUPPORTED'
}

If I understand correctly, the problem is, that the openssl version is not compatible with the nodejs version, right?

What I tried:

  1. NEPTUN_GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----xxx-----END RSA PRIVATE KEY-----" (first attempt, wrapped in quotes just like locally), also tried -----BEGIN RSA PRIVATE KEY-----\nxxx\n-----END RSA PRIVATE KEY-----
  2. privateKey: process.env.NEPTUN_GITHUB_APP_PRIVATE_KEY?.replace(/\n/g, '\n') (adding .replace for linebreaks)
  3. setting NODE_OPTIONS=--openssl-legacy-provider

caused:

Error: error:1E08010C:DECODER routines::unsupported
    at createPrivateKey (node:internal/crypto/keys:632:12)
    at convertPrivateKey (file:///var/task/node_modules/universal-github-app-jwt/lib/crypto-node.js:11:10)
    at getToken (file:///var/task/node_modules/universal-github-app-jwt/lib/get-token.js:19:31)
    at githubAppJwt (file:///var/task/node_modules/universal-github-app-jwt/index.js:32:23)
    at getAppAuthentication (file:///var/task/node_modules/@octokit/auth-app/dist-node/index.js:14:37)
    at hook (file:///var/task/node_modules/@octokit/auth-app/dist-node/index.js:315:37)
    at async requestWithGraphqlErrorHandling (file:///var/task/node_modules/@octokit/plugin-retry/dist-bundle/index.js:36:20)
    at async Job.doExecute (/var/task/node_modules/bottleneck/light.js:405:18) {
  library: 'DECODER routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_UNSUPPORTED'
}

and

Unable to load legacy provider.
#  node[3]: v8::Maybe<bool> node::crypto::CipherJob<CipherTraits>::ToResult(v8::Local<v8::Value>*, v8::Local<v8::Value>*) [with CipherTraits = node::crypto::AESCipherTraits] at ../src/crypto/crypto_cipher.h:262
#  Assertion failed: errors->Empty()
----- Native stack trace -----
1: 0x55e379de39ac node::Assert(node::AssertionInfo const&) [node]
2: 0x55e379f7f77c node::crypto::CryptoJob<node::crypto::AESCipherTraits>::AfterThreadPoolWork(int) [node]
3: 0x55e37ab42fc9  [node]
4: 0x55e37ab48193  [node]
5: 0x55e37ab60b73  [node]
6: 0x55e37ab49227 uv_run [node]
7: 0x55e379cd4146 node::SpinEventLoopInternal(node::Environment*) [node]
8: 0x55e379e3b3f6  [node]
9: 0x55e379e3bf5c node::NodeMainInstance::Run() [node]
10: 0x55e379d920c3 node::Start(int, char**) [node]
11: 0x7fb593021eb0  [/lib64/libc.so.6]
12: 0x7fb593021f60 __libc_start_main [/lib64/libc.so.6]
13: 0x55e379cd1465 _start [node]
Node.js process exited with signal: 6 (SIGABRT). The logs above can help with debugging the issue.

What I found:


Solution

  • Thanks to: https://github.com/octokit/octokit.js/issues/2623#issuecomment-1928596166

    I have no clue, why it didn't work without that, but I changed my runtimeConfig to the following:

      runtimeConfig: {
        github: {
          app: {
            webhookSecret: process.env.GITHUB_APP_WEBHOOK_SECRET,
            appId: process.env.GITHUB_APP_ID,
            clientId: process.env.GITHUB_APP_GITHUB_CLIENT_ID,
            clientSecret: process.env.GITHUB_APP_GITHUB_CLIENT_SECRET,
            privateKey: Buffer.from(
              String(
                process.env.GITHUB_APP_PRIVATE_KEY?.replace(/\\n/g, '\n').trim()
              ),
              "base64",
            ).toString("utf-8")
          }
        },
    

    I Not sure why it didn't work the way I did it for my other projects. I tried to fix it with 3 other "solutions" and wasted a lot of time doing so. That is the only approach that worked. I will start to encode all of my privateKeys in the future, because I guess that is the most robust way.