TLS/https provide alternate CA for server validation

[andrew-mcgregor]

Hi,
Hoping someone can point me in the right direction please.

I've been using node-fetch for https requests but have recently had issues with request timeout detection/handling and so have been looking at undici as an alternative. I've done most the work with it but I need to have server certificate validation, i'm getting self signed cert in chain error, which is expected without my own CA. In node-fetch i did something like this provide my ca certificate:

const agent = new https.Agent({
  ca: env.caauthcert
});
fetch(myUrl, { agent });

I can't figure out how to do similar it in undici can anyone help. I've searched the docs and questions but there's nothing that looks obvious...or simple? I'm using await request(url, options); as the mechanism but providing ca: or an agent in options doesn't work. Hopefully, i'm missing something simple?

[mcollina]

I think you could achieve this by passing a connect option to a custom undici.Agent, which is any option that can be passed through https://nodejs.org/api/tls.html#tls_tls_connect_options_callback.

This is the relevant place where this is documented: https://undici.nodejs.org/#/docs/api/Client?id=parameter-connectoptions.
I understand this is not much. Maybe you would like to document this in our doc under the "best practices" label?

[andrew-mcgregor]

Thanks, took me today to get my head around the docs and examples. With some trial and error, I've managed to get something that works. I've built a wrapper around it for loose coupling purposes.

const { Client } = require('undici');

async function requestWrapper(url, options) {
  const tls = {
    ca: process.env.CA_CERT,  // could also be file read
  };
  const client = new Client(url, {
    connect: tls,
  });

  const {
    statusCode,
    body,
  } = await client.request(options);

  const response = await body.text();

  if (statusCode !== 200) {
    throw new Error(response);
  }

  return response;
}

module.exports = requestWrapper;

It's be nice if the most basic request example could be configured to work the same i.e. not having to use a Client. Have i missed something or is that just not possible?

[mcollina]

You actually configure the Agent to do so.

Something like:

import { Agent, request } from 'undici'

const tls = {
  ca: process.env.CA_CERT,  // could also be file read
};

const dispatcher = new Agent({
  connect: tls
});

const {
  statusCode,
  body,
} = await request(url, { dispatcher });

const response = await body.text();

if (statusCode !== 200) {
  throw new Error(response);
}

console.log(response)

[andrew-mcgregor]

Ah, thanks, I thought something like that was possible but couldn’t quite get my head around how to structure it. I’ll try and put a doc together with both versions as example. Thanks again.

[OZZlE]

For Windows 11 users this works:

npm i undici win-ca

// then

import { Agent, request } from 'undici';

const ca = (await import('win-ca')).default;
const rootCAs = []
// Fetch all certificates in PEM format
ca({
    format: ca.der2.pem,
    ondata: buf => rootCAs.push(buf.toString())
})

async function uWinCaFetch(url) {
    const dispatcher = new Agent({
        connect: {
            ca: rootCAs, // Pass all root certificates
        }
    });
    return request(url, { dispatcher });
}

// now you can use uWinCaFetch(...) like regular undici fetch and it uses win11 ssl certificates