Use system certificates

Question

Use system certificates

jekor opened this issue 7 years ago · 4 comments

Related to #3, but on the other end of the connection I receive the following error:

PROXY_TO_SERVER_REQUEST_ERROR: Error: unable to verify the first certificate

The server is using a certificate signed by an internal CA. This seems to be caused by Betwixt (node-http-mitm-proxy?) not using the system certificates (on OS X).

A workaround could be a way to pass trusted certificates to the app. I can't make sense of which environment variables (if any) the code in question will consult.

Answer 1 · 2018-03-21T12:08:46.000Z

👋It's a bit over my head ATM, I'd have to do some research. But please feel free to take a stab at it.

Answer 2 · 2018-03-21T17:08:38.000Z

The good news is that Node seems to have addressed this with nodejs/node@3aa17e4, although it is a compile-time option and there's no indication if it will work on all operating systems. The discussion happened on nodejs/node#4175. The Node CLI documentation shows another (runtime?) option that appears to be related based on the version it was released in: https://nodejs.org/api/cli.html#cli_use_openssl_ca_use_bundled_ca.

I don't know to get Betwixt working with the latest electron (I encountered runtime errors and didn't go any further) nor how to pass one of those parameters.

Answer 3 · 2018-03-21T19:04:13.000Z

@jekor Gotcha, thanks for doing research, it's very useful. Not sure when I'll get time to look at this, but maybe someone will take a stab at in the meantime 🤞

Answer 4 · 2019-02-08T10:19:36.000Z

NodeJS doesn't have a constant list of certificates for a long time. It allows overrides both at command line and programmatically . node --help and manpage would help you.

--use-bundled-ca, --use-openssl-ca are command line switches

NODE_EXTRA_CA_CERTS file

         When set, the well-known “root” CAs (like VeriSign) will be extended with the
         extra certificates in file.  The file should consist of one or more trusted
         certificates in PEM format.

         If file is missing or misformatted, a message will be emitted once using
         process.emitWarning(), but any errors are otherwise ignored.

         This environment variable is ignored when `node` runs as setuid root or has
         Linux file capabilities set.

SSL_CERT_DIR dir

         If --use-openssl-ca is enabled, this overrides and sets OpenSSL's directory
         containing trusted certificates.

SSL_CERT_FILE file

         If --use-openssl-ca is enabled, this overrides and sets OpenSSL's file contain-
         ing trusted certificates.