Node versions before 10 do not support new WorkOS Root CA

[jdforsythe]

Legacy Node versions, which many apps still run on, bundle a set of root CAs and do not support the new root from Let's Encrypt for WorkOS's https://api.workos.com, which makes the service incompatible with legacy software as of August 10, 2022.

The error message returned from Axios is certificate has expired.

The fix requires allowing the consumer to pass an https.Agent instance into the WorkOS constructor which includes the valid root CA.

At the current time, the WorkOS SSL certificate indicates the chain is ISRG Root X2 > E1 > *.workos.com. The root CA file can be obtained from from Let's Encrypt directly. This is the "Self-Signed" pem file (cross-signed does not work in our testing) and is named isrg-root-x2.pem.

A simple test to see if your Node version supports the new certificate:

const axios = require('axios');

axios.get('https://api.workos.com')
  .then(function (response) {
    console.log(response.data);
  })
  .catch(function (error) {
    console.log(error.message);
  });

If this logs out certificate has expired then your Node version does not support the new SSL certificate.

[jdforsythe]

Edit: WorkOS implemented this differently than my PR, see #657 and it is available from v2.12.0

Due to the different implementation, here's what the example code would look like. The info on the certificate from the original post is still valid.

const fs = require('fs');
const path = require('path');
const { Agent } = require('https');

const { WorkOS } = require('@workos-inc/node');

const agent = new Agent({
  ca: fs.readFileSync(path.join(__dirname, './isrg-root-x2.pem')),
});

const workos = new WorkOS(config.sso.apiKey, { axios: { httpsAgent: agent } });

Original post below:

--

I have a PR open #653 to allow passing in an https.Adapter that gets passed to the underlying Axios instance.

Until that is merged, if it ever is, you can use my fork and follow the steps below to get WorkOS working with Node versions before 10:

Download the new root CA from Let's Encrypt - be sure to download the "ISRG Root X2" (self-signed pem file) - current as of 2022-08-15

Install the patched version of @workos-inc/node:

package.json

{
  "dependencies": {
    "@workos-inc/node": "jdforsythe/workos-node#https-agent"
  }
}

Load the root CA from disk and pass it to a new https.Agent constructor, then pass the https agent into the WorkOS constructor:

const fs = require('fs');
const path = require('path');
const { Agent } = require('https');

const { WorkOS } = require('@workos-inc/node');

const agent = new Agent({
  ca: fs.readFileSync(path.join(__dirname, './isrg-root-x2.pem')),
});

const workos = new WorkOS(config.sso.apiKey, { httpsAgent: agent });

The Axios instance underlying the HTTP calls made by WorkOS will now recognize the new root CA and will not fail with the certificate has expired error any longer.

[maxdeviant]

Thanks for the detailed write-up and PR, @jdforsythe!

As of v2.12.0 the WorkOS constructor now accepts an axios option that can be used to configure the underlying Axios instance.

[jdforsythe]

For anyone returning to this, WorkOS switched cert vendors to Cloudflare, which works natively on old versions of Node, and the workaround of customizing Axios is not only no longer required, but will have broken in the last couple of days. Revert this workaround and use the WorkOS constructor without the customized CA and it will start working again.