I’m getting a UNABLE_TO_GET_ISSUER_CERT error when running a function (in preview and through actual ontology action) using data connection source configured with a server and a client certificate.
Here is a simplified version of my code:
Typescript function isn’t using cert from the source config ?
Is there a way to get the client and server certificate in Typescript function ?
Runtime cannot see the issuer chain that your data connection uses. The function environment does not automatically use the client or server certificate from the source settings.
You need to load the certificate chain inside the function or point the request library to it so the handshake can complete.
I’d also recommend this guide - https://cheapsslweb.com/blog/fixing-unable-to-get-issuer-cert-locally-error/
After discussing with the Palantir support team and doing some investigation:
Function runtime is using certificates configured in Source config UI. However, webhook runtime is more permissive than Function runtime. For example in this case, setting the server certificate was enough for the webhook to suceed (otherwise SSL handshake error) but the function would fail because it does not trust the issuer. So you would need to add the issuer certificate.
I was able to identify that by using the Terminal Console in the source config UI and using openssl command.
(Note: As mentioned in the doc, “certificates configured in the UI are not directly included in the terminal environment” so you need to create temporary files to reference them in the openssl command.)
Hopefully this can help other users facing the same problem.
