Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

unable to verify the first certificate with node.js

I am trying to read a datagroup using node.js and am receiving the message "unable to verify the first certificate".

I have confirmed the command manually with curl and it does return the datagroup as expected:

curl -sk -uadmin:admin -v

result:   …"records":[{"name":"test","data":"test"}]

f5_data_group.js has the following

var bigip = new iControl({
  host: '',
  proto: 'https',
  port: '443',
  username: 'admin',
  pass: 'admin',
  strict: 'false',
  debug: 'true'

var dgPath = '/ltm/data-group/internal/~acc~dgroup';
exports.getDataGroup = function(callback) {
  bigip.list(dgPath, function(err, res) {
      console.log( 'bigip.list dgPath:',dgPath,'err:',err);

Console.log is giving the following message:

plugin[/acc/f5_mfa_plugin.f5_mfa_extension] bigip.list dgPath: /ltm/data-group/internal/~acc~dgroup err: { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

I assume it might have to do with using self signed certificate on the big-ip however strict is set to false above.

Any suggestions?

APM 12.1.2

Rate this Question

Answers to this Question


Hi David, TMUI (the web GUI listening on port 443) only listens on port 443 and TLS is required. This is the only way to talk to iControl REST from off box.

However, when calling localhost you can call iControl REST directly on port 8100, bypassing TMUI and forgoing the need for TLS. This will work with basic auth, token auth would be possible but would be a different workflow.

One FYI to add about making REST calls to data groups (which you may already know); data groups are collections (vs sub-collections). What this means that if you want to update even one value, your REST call must contain all records including changes (not just the changed records).

Comments on this Answer
Comment made 12-Sep-2017 by David G. 368

Very cool - I didn't know you could do this and it works fine from the console:

curl -uadmin:admin http://localhost:8100/mgmt/tm/ltm/data-group/internal/~acc~dgroup

I made the following change:

var bigip = new iControl({
  host: 'localhost',
  proto: 'http',
  port: '8100',
  username: 'admin',
  pass: 'admin',
  strict: 'false',
  debug: 'true'

but now get a "HPE_INVALID_CONSTANT" error:

bigip.list dgPath: /ltm/data-group/internal/~acc~dgroup err: { [Error: Parse Error] bytesParsed: 0, code: 'HPE_INVALID_CONSTANT' }

I am true noob using node.js and don't really know how to debug this very well yet. Any suggestions are appreciated.



Which node library are you using? I have a Node.js script using the core https module accessing the REST interface without a problem. I did have to set the rejectUnauthorized attribute to not to validate the self cert.

A section of the code looks like this:

  var http_opts = {
    host: BIGIP,
    method: verb,
    port: 443,
    rejectUnauthorized: 0,
    path: resource

  var http_headers = {
    'Content-Type': 'application/json'

  // Authentication Method

user = USER;
pass = PASS;

  if ( user && pass ) { http_opts["auth"] = user + ":" + pass; }
  else if ( token )   { http_headers["X-F5-Auth-Token"] = token; }

  // BODY?
  if ( body ) { http_headers["Content-Length"] = body.length; }

  http_opts["headers"] = http_headers;

  var content = "";
  var req = https.request(http_opts, function(res) {
Comments on this Answer
Comment made 20-Sep-2017 by David G. 368

I am using the icontrol library. We are actually using internally signed certs so is there must be a place where I can load my root CA so that it is leveraged here. Any idea where this goes?

Also, since everything is on-box is there any reason I would want to use https vs sticking with http on port 8100?

Last but not least, I am new at using node.js so if I can just get something as simple as the equivalent of "curl -uadmin:password"; to work then I think I could take it from there. I am working on this but haven't gotten all the pieces figured out just yet. If anyone has something they could share it sure would be appreciated.

Comment made 21-Sep-2017 by Joe Pruitt 6266

If you are on box, you can use port 8100 with http without a problem. the 443 port gets routed through this anyway on the backend so it's less overhead to use it over 443.

Which iControl library are you using? There are a few out there but I don't believe F5 has published one.

For the simple node.js wrapper I've used that wraps all the connection stuff. It does default to 443 so you'd have to change that if you want to go over port 8100. Code is at: icr.js