Node.js server returning authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT

Problem

I wrote a minimal server that requires a client certificate, but it always rejects connections with the following authorizationError : DEPTH_ZERO_SELF_SIGNED_CERT . I set the steps that I followed below and they are pretty simple, so you should be able to play it in a few minutes if you want to "try it at home." This is with Node.js 10.10.24. Am I doing something wrong?

What I've done

First, I generated self-signed client and server certificates as follows (instructions from Client Side Certificate Auth in Nginx ), this is a ssl .

 openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl genrsa -des3 -out client.key 1024 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt 

Then I run the following program with Node.js (i.e. put it in server.js and run node server.js ).

 var https = require('https'); var fs = require('fs'); var options = { key: fs.readFileSync('ssl/server.key'), cert: fs.readFileSync('ssl/server.crt'), ca: fs.readFileSync('ssl/ca.crt'), requestCert: true, rejectUnauthorized: false }; https.createServer(options, function (req, res) { if (req.client.authorized) { res.writeHead(200, {"Content-Type":"application/json"}); res.end('{"status":"approved"}'); console.log("Approved Client ", req.client.socket.remoteAddress); } else { res.writeHead(401, {"Content-Type":"application/json"}); res.end('{"status":"denied"}'); console.log('authorizationError:', req.client.authorizationError); console.log("Denied Client " , req.client.socket.remoteAddress); } }).listen(5678); 

Finally, I try to connect to curl:

 curl -v -s -k --key ssl/client.key --cert ssl/client.crt https://localhost:5678 

Here it fails with authorizationError : DEPTH_ZERO_SELF_SIGNED_CERT . I read that people have more luck settings process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; and not using rejectUnauthorized: false , but that doesn't seem to affect my case.