fix(@angular/build): support NODE_EXTRA_CA_CERTS in SSR SSL plugin

alan-agius4 · alan-agius4 · commit 88c18ce68585 · 2025-12-08T16:07:54.000Z
This commit adds support for the 'NODE_EXTRA_CA_CERTS' environment variable when configuring the global dispatcher for the SSR SSL plugin. This ensures that custom CA certificates specified via this environment variable are correctly trusted. Closes #31983 (cherry picked from commit 6d21220)
diff --git a/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts b/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts
@@ -6,7 +6,8 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
-import { rootCertificates } from 'node:tls';
+import { readFile } from 'node:fs/promises';
+import { getCACertificates, rootCertificates, setDefaultCACertificates } from 'node:tls';
 import type { Plugin } from 'vite';
 
 export function createAngularServerSideSSLPlugin(): Plugin {
@@ -35,17 +36,30 @@ export function createAngularServerSideSSLPlugin(): Plugin {
         httpServer.ALPNProtocols = ['http/1.1'];
       }
 
-      // TODO(alanagius): Replace `undici` with `tls.setDefaultCACertificates` once we only support Node.js 22.18.0+ and 24.5.0+.
-      // See: https://nodejs.org/api/tls.html#tlssetdefaultcacertificatescerts
+      const { cert } = https;
+      const additionalCerts = Array.isArray(cert) ? cert : [cert];
+
+      // TODO(alanagius): Remove the `if` check once we only support Node.js 22.18.0+ and 24.5.0+.
+      if (getCACertificates && setDefaultCACertificates) {
+        const currentCerts = getCACertificates('default');
+        setDefaultCACertificates([...currentCerts, ...additionalCerts]);
+
+        return;
+      }
+
+      // TODO(alanagius): Remove the below and `undici` dependency once we only support Node.js 22.18.0+ and 24.5.0+.
       const { getGlobalDispatcher, setGlobalDispatcher, Agent } = await import('undici');
       const originalDispatcher = getGlobalDispatcher();
-      const { cert } = https;
-      const certificates = Array.isArray(cert) ? cert : [cert];
+      const ca = [...rootCertificates, ...additionalCerts];
+      const extraNodeCerts = process.env['NODE_EXTRA_CA_CERTS'];
+      if (extraNodeCerts) {
+        ca.push(await readFile(extraNodeCerts));
+      }
 
       setGlobalDispatcher(
         new Agent({
           connect: {
-            ca: [...rootCertificates, ...certificates],
+            ca,
           },
         }),
       );
