NODE_EXTRA_CA_CERTS cannot be set in code or relative #20432
Comments
|
Pull request welcome.
Not reliable because the extra certificates are loaded only once.
Relative paths should work. |
It would be nice if they were loaded only once but lazily, not before any code is executed in node. This way packages like dotenv would work because the recommendation is to run them at the very beginning. Possibly it could also speedup startup of node a bit. |
|
Also in #20434 you say that it is loaded lazily but it doesn't seem so unless node makes http requests I don't know about before first line of code is executed. Probably it is instantiated when some not yet started http server is instantiated, but I think it would be better to load certificates when it's actually needed (server starts, http request, tls function is executed). Ideally you'd expose a function for reloading these.. Also my use case: setting up development environment with https self-signed certificate so Facebook integrations are working properly locally. |
|
Or maybe a function |
|
You should chime in on #20434 but keep in mind that |
That might be acceptable. Can you file a new issue? |
`NODE_EXTRA_CA_CERTS` is not intended to be used to set the paths of extra certificates and this approach to setting is not reliable. This commit makes node load extra certificates at startup instead of first use. Fixes: nodejs#20434 Refs: nodejs#20432
This commit makes node load extra certificates at startup instead of first use. PR-URL: nodejs#23354 Fixes: nodejs#20434 Refs: nodejs#20432 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
This seems to be possible. However I have not found any documentation of this. One other mention of this method: #4464 (comment) Example: const tls = require('tls');
const secureContext = tls.createSecureContext();
// https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
secureContext.context.addCACert(`-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----`);
const sock = tls.connect(443, 'host', {secureContext}); |
|
Sorry, @cinderblock I don't understand your comment, or how it relates to |
|
@sam-github You are correct that the titular question asks specifically about the I however suspect the main thing in question is to set extra ca certificates in code/during runtime that don't override the built-in CA certificates. The method I've suggested does exactly what I believe the OP wanted without the method that the OP assumed was the correct way of solving their problem. |
|
Reiterating my use case is:
A programmatic way of doing so is better than setting ENV variable, so it would be OK for my use case. I'd rather use official, documented way of doing so though, so @cinderblock has a point that it should be documented. |
|
@sheerun Yeah, I'm rather surprised that this API is not documented. On the node.js tls documentation page, it simply says:
But what is a "credentials object"? I have not found any documentation on it. It looks to be a real API for a number of reasons:
|
sam-github
added
the
feature request
|
A number of independent issues are discussed here:
|
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: nodejs#20432 (comment)
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: #20432 (comment) PR-URL: #26908 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: #20432 (comment) PR-URL: #26908 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: #20432 (comment) PR-URL: #26908 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: #20432 (comment) PR-URL: #26908 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The reference is confusing because the object is actually of class SecureContext. There is no object with class "credentials". See: #20432 (comment) PR-URL: #26908 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Modifies the tls.rootCertificates property so that it is settable. PEM-formatted certificates set to the property are loaded into a new Node.js root certificate store that is used for all subsequent TLS requests and peer certificate validation. Allows full programmatic control of a Node.js process' root certificate store. Fixes: nodejs#20432 Refs: nodejs#27079
Modifies the tls.rootCertificates property so that it is settable. PEM-formatted certificates set to the property are loaded into a new Node.js root certificate store that is used for all subsequent TLS requests and peer certificate validation. Allows full programmatic control of a Node.js process' root certificate store. Fixes: nodejs#20432 Refs: nodejs#27079 Changed root_cert_store to a smart pointer Added support for empty root certificates Added comment
|
This is a real bummer. Just implemented |
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called, rather than losing them when unrelated options are provided. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues #20432, #20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: #32010 Refs: #40524 Refs: #23354 PR-URL: #44529 Reviewed-By: Tim Perry <pimterry@gmail.com>
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called, rather than losing them when unrelated options are provided. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues #20432, #20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: #32010 Refs: #40524 Refs: #23354 PR-URL: #44529 Reviewed-By: Tim Perry <pimterry@gmail.com>
v9.11.1
Darwin sheerun.dev 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64 i386 MacBookPro12,1 Darwin
When I start my server with
and in code make request to http server that serves with given certificate, all is good
But when I set it at the beginning of
bin/startas so:then node complains that there's "self signed certificate in certificate chain".
Particularly NODE_EXTRA_CA_CERTS doesn't work when I use
dotenvpackage and set NODE_EXTRA_CA_CERTS in.envfile.Also, it seems NODE_EXTRA_CA_CERTS doesn't allow relative path, just absolute.
I think both of these issues should be addressed or at least documented with reasons why.
The text was updated successfully, but these errors were encountered: