provide a way to pass ca certs instead of using self signed certs for https requests

[sidtagirisa]

right now we are trying to intercept traffic of an environment that is rejecting because of self-signed certificate and disabling that check is not an option in that server, so please let me know if there is a way I can provide certs to be used instead of self-signed certificates being created in your code.

[sidtagirisa]

After some looking through, found an alternative for this as well.

option to provide ignoreHostHttpsErrors option here in your code would be awesome

Please let me know if this is feasible.

[LouManglass]

Hi @sidtagirisa,

Would you be able to provide some of the errors for our reference? I want to make sure we are solving the right problem. A set of known errors will help us assure it gets fixed, fully, in the correct place.

If that's not feasible, I understand. We'll look into this request, as it makes sense to provide as an option. We can also chat further to find other interim workarounds or solutions that will fit your application, if that's helpful.

[sidtagirisa]

hi, @LouManglass found a way to pass the certificate and it is working.

Since you are using mockttp and they are honoring this env: NODE_EXTRA_CA_CERTS, if we set NODE_EXTRA_CA_CERTS='path to pem file' it is not throwing self-signed cert error.

[sidtagirisa]

I would love to provide any additional details if you still require me to, please let me know.

[LouManglass]

@sidtagirisa Oh, this is great, thanks for the follow-up! To clarify: you set the NODE_EXTRA_CA_CERTS environment variable to the path to the PEM file for the server certificate, correct? That way, mockttp trusts your application, and the rest of the chain works for you?

If that's true, I think I have enough to get this added to our documentation this week, though I'd appreciate the opportunity to see your work in action. If you have some time, here's my calendly, and I can also be flexible around those hours with some notice. Otherwise, I'll dig into the documentation and reach out with any further questions as they come up.

[sidtagirisa]

@LouManglass Yes, that’s correct.

Sure, I can show you it in action, I will setup a call probably sometime next week.

In the meantime if you have anymore questions please don’t hesitate to reach out.

Also, the latest documentation, it is so much better than last year, nice work on that ✌🏼. Thanks for this library, it helps a lot.

[LouManglass]

@sidtagirisa Thanks for the kind words, I'll pass them along to the team! We're always looking to make our documentation better, and we appreciate that you noticed.

And also thanks for your time, I'll keep an eye out for that appointment.

[rbuckland]

hi @LouManglass I am not sure if this helps or not.

I have a setup where the API being tested is a remote existing service

When I run the test suite, which exercises the API, optic is failing with the self signed issue.
This may help, in thinking about the use case of the proxy in the middle
I am using config like

name: "other_system"
tasks:
  start:
    targetUrl: https://other.system.api.ip.address
    inboundUrl: https://172.17.0.2:4000

Terminal of running optic

root@b674ed473b98:/v# api start
[optic] Review the API Diff at http://localhost:34444/apis/1/diffs
[optic] Optic is observing requests made to https://172.17.0.2:4000
<< test kicked off here in other window
Failed to handle request: self signed certificate
Failed to handle request: self signed certificate
Failed to handle request: self signed certificate
Failed to handle request: self signed certificate
Failed to handle request: self signed certificate
....

[rbuckland]

Debugging a little bit more.

neither of these options work

Option 1 - provide optic (mockhttp, http api) with the CA Cert of the server

echo quit | openssl s_client -showcerts -servername server -connect other.system.api.ip.address:443 > cacert.pem
NODE_TLS_REJECT_UNAUTHORIZED=0 NODE_EXTRA_CA_CERTS=cacert.pem api start
...
Failed to handle request: Hostname/IP does not match certificate's altnames: IP: other.system.api.ip.address is not in the 

the cert is wrong as well :-) no it can't be changed.
So I need to trick optic to ignore all SSL errors.

Option 2 - tell mockhttp to ignore the cert issue

/usr/local/share/.config/yarn/global/node_modules/@useoptic/cli-shared/build/httptoolkit-capturing-proxy.ts

as per @sidtagirisa attempt to work around, by telling mockhttp to ignore

  ... new mockttp.webSocketHandlers.PassThroughWebSocketHandler({
          ignoreHostHttpsErrors: [ "other.system.api.ip.address" ],
          forwarding: { 
              ...
          }

this changed nothing, but I suspect I need to recompile the TypeScript (been a long time since TS :-D )

[LouManglass]

Hi @rbuckland ,

I'm sorry to hear about these issues. From the sound of it, I suspect it will benefit from some pairing time. I see a calendar appointment with you later today, would that be a good time for us to dig in together? Or were you expecting to go over something else?