Is it possible to bypass CERT_UNTRUSTED issue? #419

Closed
fpetitit opened this Issue Apr 25, 2013 · 28 comments

Projects

None yet
@fpetitit

Hello,
the proxy of my company transforms certificates, which brings "CERT_UNTRUSTED" errors.
Is it possible to add an option to Bower to continue in spite of this?

Thank you.

@satazor
Member
satazor commented Apr 25, 2013

Hmm are you getting this when hitting git? or the registry?

@fpetitit

Hi, it occurs when hitting Github.
Thx.

@fpetitit fpetitit closed this Apr 28, 2013
@fpetitit fpetitit reopened this Apr 28, 2013
@fpetitit

I also tried adding the following parameter, without success : GIT_SSL_NO_VERIFY=1

@satazor
Member
satazor commented May 4, 2013

Hmm.. If you solve the same issue using git directly in the command line, you should fix bower too

@satazor
Member
satazor commented May 29, 2013

@fpetitit did you managed to solve it?

Relevant to solving this http://stackoverflow.com/questions/12537763/git-ssl-without-env-git-ssl-no-verify-true.
We should do a git config on the GitResolver based on strict-ssl rc config.

@GUI
GUI commented Jun 6, 2013

I just ran into this with our company's SSL setup too. For me, it was happening when hitting the registry. I was able to get around it by changing the endpoint URL from HTTPS to HTTP in my ~/.bowerrc:

{
  "endpoint": "http://bower.herokuapp.com"
}

But this obviously isn't ideal from a security perspective, since it's not using HTTPS. I have a custom system-wide CA certs bundle file that properly sets up our company's SSL interceptor as a trusted source. Tools like git and curl seem to read from that, but does anyone know how to point bower to a custom CA certs file? Or this might be a more general nodejs issue, since I haven't had much luck with any nodejs tools and our company's SSL setup.

@satazor
Member
satazor commented Jun 28, 2013

Fixed in the rewrite with the strict-ssl config.

@satazor satazor closed this Jun 28, 2013
@satazor satazor reopened this Jun 28, 2013
@satazor
Member
satazor commented Jun 28, 2013

Actually this is probably not solved for git endpoints, only for the registry.

@satazor
Member
satazor commented Aug 4, 2013

@fpetitit can you give us an update on this?

@satazor
Member
satazor commented Aug 10, 2013

Closing due to lack of feedback.

@satazor satazor closed this Aug 10, 2013
@oakley808

I still have this problem. I'm also behind a corporate proxy.
This breaks bower, and also yeoman. :-(
Even though I set the bower endpoint to http, bower seems to try https
error Request to https://bower.herokuapp.com/packages/mocha failed: CERT_UNTRUSTED

System info:
Bower version: 1.3.6
Node version: 0.10.26
OS: Darwin 13.2.0 x64

@hypery2k

you can try setting this in .bowerrc:

{
  "directory": "bower_components",
  "registry": "http://bower.herokuapp.com",
  "strict-ssl": false
}

@chriskolenko

@hypery2k That worked for me cheers.

I already had http.sslverify=false in my git global config. If that helps anyone else with proxy issues.

@gran33
gran33 commented Dec 1, 2014

Worked for me as well, 10x @hypery2k

@mattkingston

+1 @hypery2k. Thanks

@ktal90
ktal90 commented Mar 10, 2015

This is still an issue for me. I need to use custom CA certs to be able to verify SSL for bower. I have gotten it to work with npm and other repository managers that allow CA definition. It appears that bower is not taking the config file nor command line options for defining the CA to be used and ends up rejecting on CERT_UNTRUSTED.

Note: SSL is important to me and I'd like to avoid simply rejecting it, as recommended above.

@joshstrange

I am not aware of my company MitM-ing our connections but we have to use the .bowerrc file listed above to get it to work on some of our machines. Most of the dev boxes don't seem to have this issue but our servers do. I'm still a little confused to why github seems to be having this issue. I've read through the above comments but I can't imagine why github, of all places, would have HTTPS issues with bower....

@Splaktar

My company just put a MitM proxy on us as well and we're hitting this now. The .bowerrc file mentioned above does seem to work around it though. Thank you.

@ktal90
ktal90 commented Mar 23, 2015

By "fix", you mean "workaround" right? The workarounds above suppress SSL checking. The true fix would be for the bower config file's ca and command line's --config.ca to actually recognize the CA that I would like to point to. bower's doucmentation claims that it does this, but it does not.

@Splaktar

Yes, I've updated my comment. We've 'fixed' the problem now by getting IT to take this network off of their proxy list. So we are no longer going through the MitM proxy and have removed the disabling of SSL checking.

@francois-montmasson-efg

Even add ca in .bowerrc do not solve the issue.
Configuration seems simply ignored... or not enough in order to have bower believing in this certificate.

Please reopen. strict-ssl false is wrong way to fix. It's unsecure.

@sheerun
Contributor
sheerun commented Apr 15, 2015

PR with fix is welcome

@tloebermannvw

I need a fix too. Its not possible to add a certificate to bower!

@adriaanthomas
Contributor

Given that Bower uses request, looking at the documentation, it seems that the ca option should contain the contents of the certificate file, not a path to it. If I modify my .bowerrc to contain the full certificate contents (with newlines, BEGIN and END CERTIFICATE and all), registry lookups now work.

As for pulling in tar balls, there are still issues, in our case because GitHubResolver does not pass the ca option. Adding the ca option there makes Bower work for us behind the proxy with its custom root CA and strict-ssl enabled.

I would be happy to issue a pull request, but how should this work? I assume the ca option in .bowerrc should be a path to a file? How do people use this currently?

@john-jay

I got bower to work by using this command:

git config http.sslVerify "false"

@adriaanthomas
Contributor

As mentioned above that's only a workaround.

For anyone else working from behind a proxy with its own root CA, these are our settings (setting strict-ssl to true just to make clear what works, this should be the default everywhere):

Certificate file

Export your company's root CA certificate to some location on your local file system, CA_FILE. You can also append it to some existing CA bundle file, CA_BUNDLE.

We use the HTTPS_PROXY environment variable for the proxy config, including user credentials.

npm

Strictly not linked to bower, but as you will probably use this too:

npm config set --global cafile $CA_FILE
npm config set --global strict-ssl true

Not everything works 100% but there are no blocking issues here.

bower

In ~/.bowerrc we have:

{
  "strict-ssl": false
}

After something like #1869 we can make this (truncated certificate contents):

{
  "strict-ssl": true,
  "ca": "-----BEGIN CERTIFICATE-----\nkjhDKUFKJS...jfdhH==\n-----END CERTIFICATE-----\n"
}

And then after bower/config#28 we can make it (using the actual value of $CA_FILE or $CA_BUNDLE):

{
  "strict-ssl": true,
  "ca": "$CA_FILE"
}

git

git config --global http.sslverify true
git config --global url.https://.insteadOf git://
git config --global http.sslCAInfo $CA_BUNDLE
@sywesk
sywesk commented Feb 29, 2016

Please add the "strict-ssl" configuration entry to the .bowerrc documentation ( http://bower.io/docs/config/ ). It solved my problem.

Thanks !

@jenny8993

Thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment