nodejs18 and openssl 3.0.8 #4159
Comments
|
https://github.com/nodejs/node/blob/c5f46293abe434b536f8caf24031692cba47e4f4/src/node.cc#L1039-L1040 // Ensure CSPRNG is properly seeded.
CHECK(crypto::CSPRNG(nullptr, 0).is_ok())Looks like CSPRNG init fails can you try docker run -e NODE_EXTRA_CA_CERTS=cert.pem -it --memodry 2g --cpus 2 nodejs18-slim:test1 |
|
@coltonfreeman26 How do you enable FIPS? If you load the FIPS provider through a custom OpenSSL configuration file (or if you use a system OpenSSL configuration file that enables FIPS) you may need to explicitly enable a random-number generator implementation. |
|
As |
|
@tniessen We are using the system openssl with alpine. fips is being inherited. i messed around with this a little bit and i seem to have success with this when i install node via apk. i am guessing this has something to do with how we are enabling fips on the host. i am not familiar with CSPRING but will need to dive into that more. i will also take a look into enabling a random number generator. @preveen-stack i most certainly can. i will let you know if there is any luck there. @richardlau thank you for those links. i will read through those and update if this looks like our issue. thank you all for the feedback. |
@coltonfreeman26 it should be the path to the certs in the container. If Host dir structure: Dockerfile needs to copy the cert into the container: FROM node:18
# Relative to the container, the cert will be in /my_extra_cert.pem!
COPY my_extra_cert.pem /my_extra_cert.pem
# Other dockerfile stuff...Then run as: NOTE THE VAR IS |
|
Btw, if you copy the cert into the container via the dockerfile, you can also specify the env variable in the dockerfile itself, e.g.: FROM node:18
# Relative to the container, the cert will be in /my_extra_cert.pem!
COPY my_extra_cert.pem /my_extra_cert.pem
# Other dockerfile stuff
# Set the extra ca certs var
ENV NODE_EXTRA_CA_CERTS=/my_extra_cert.pem |
|
Hmm, I thought the point of that NODE_EXTRA_CA_CERTS was so someone could add a cert at runtime. We are not wanting to copy in any specific cert at this time. We need this functionality so downstream users can add self signed certs. Mounting seems to work for this but am trying to figure out why we are unable to get this to work. |
Right, if you mount you local directory into the container that could also work. As long as node in the container has a path relative to it , which it can read (e.g. mount host into docker container) |
|
There has been no activity on this issue for 11 months. The help repository works best when sustained engagement moves conversation forward. The issue will be closed in 1 month. If you are still experiencing this issue on the latest supported versions of Node.js, please leave a comment. |
|
It seems there has been no activity on this issue for a while, and it is being closed. If you believe this issue should remain open, please leave a comment. |
Details
We are trying to build node 18 off of your docker image. we are using a custom alpine:3.17 base image that installs openssl 3.0.8 and enables fips. We are running into an issue with the variable
NODE_EXTRA_CA_CERTSthat returns the errorI am having trouble finding any relevant information on the error nor that variable. My main question is "is node18 compatible with openssl 3.0.8? I see here that it is compatible and fips capable with openssl 3.0.0
One other question if you know would be where that variable would store the cert in the container? NODE_EXTRA_CA_CERTS
Node.js version
18.16.0
Example code
I can paste the dockerfiles if you would like.
Operating system
locally it is a mac intel 86x64x
Scope
Runtime error that i think might be cause by our base image. Not a developer so am unfamiliar with node. I have googled this extensively but am lost at this point. Our image works fine thus far except for then trying to pass in new certs.
Module and version
Not applicable.
The text was updated successfully, but these errors were encountered: