New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node versions before 10 do not support new WorkOS Root CA #652
Comments
Edit: WorkOS implemented this differently than my PR, see #657 and it is available from v2.12.0 Due to the different implementation, here's what the example code would look like. The info on the certificate from the original post is still valid. const fs = require('fs');
const path = require('path');
const { Agent } = require('https');
const { WorkOS } = require('@workos-inc/node');
const agent = new Agent({
ca: fs.readFileSync(path.join(__dirname, './isrg-root-x2.pem')),
});
const workos = new WorkOS(config.sso.apiKey, { axios: { httpsAgent: agent } }); Original post below: -- I have a PR open #653 to allow passing in an Until that is merged, if it ever is, you can use my fork and follow the steps below to get WorkOS working with Node versions before 10: Download the new root CA from Let's Encrypt - be sure to download the "ISRG Root X2" (self-signed pem file) - current as of 2022-08-15 Install the patched version of package.json {
"dependencies": {
"@workos-inc/node": "jdforsythe/workos-node#https-agent"
}
} Load the root CA from disk and pass it to a new const fs = require('fs');
const path = require('path');
const { Agent } = require('https');
const { WorkOS } = require('@workos-inc/node');
const agent = new Agent({
ca: fs.readFileSync(path.join(__dirname, './isrg-root-x2.pem')),
});
const workos = new WorkOS(config.sso.apiKey, { httpsAgent: agent }); The Axios instance underlying the HTTP calls made by WorkOS will now recognize the new root CA and will not fail with the |
Thanks for the detailed write-up and PR, @jdforsythe! As of v2.12.0 the |
For anyone returning to this, WorkOS switched cert vendors to Cloudflare, which works natively on old versions of Node, and the workaround of customizing Axios is not only no longer required, but will have broken in the last couple of days. Revert this workaround and use the |
Legacy Node versions, which many apps still run on, bundle a set of root CAs and do not support the new root from Let's Encrypt for WorkOS's https://api.workos.com, which makes the service incompatible with legacy software as of August 10, 2022.
The error message returned from Axios is
certificate has expired
.The fix requires allowing the consumer to pass an
https.Agent
instance into the WorkOS constructor which includes the valid root CA.At the current time, the WorkOS SSL certificate indicates the chain is
ISRG Root X2 > E1 > *.workos.com
. The root CA file can be obtained from from Let's Encrypt directly. This is the "Self-Signed" pem file (cross-signed does not work in our testing) and is namedisrg-root-x2.pem
.A simple test to see if your Node version supports the new certificate:
If this logs out
certificate has expired
then your Node version does not support the new SSL certificate.The text was updated successfully, but these errors were encountered: