cli option to configure add cerificate authority for SSR fetch requests

angular / angular-cli

CLI tool for Angular

https://cli.angular.dev

MIT License

26.78k stars 11.98k forks source link

cli option to configure add cerificate authority for SSR fetch requests #28833

Open burner-account opened 5 days ago

burner-account commented 5 days ago

Command

serve

Description

Hi there!

If your SSR HttpClient (withFetch()) currently requests data server side from an API that uses TLS signed by a custom CA you may receive a UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

While the compiled SSR application runs fine with node dist/yada/server/server.mjs, using ng serve to start the application will produce the mentioned error. node probably works fine because it uses the system CAs(?). But ng serve seems to have its own idea about root CAs.

Describe the solution you'd like

If i am not ignorant to "the obvious and usual way to solve this", could this please be considered as something to be solved via CLI options? Or ng serve maybe could be taught to obey NODE_EXTRA_CA_CERTS?

Thank you!

Describe alternatives you've considered

I tried to convince ng serve with the NODE_EXTRA_CA_CERTS environment variable - no success.
Writing to https.globalAgent.options.ca did not solve the problem.

dgp1130 commented 4 days ago

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

burner-account commented 4 days ago

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

If i run the compiled SSR app manually via node dist/projectname/server/server.mjs everything is perfectly fine. I have installed the custom CA certificate chain as a system-wide root certificate. I do not provide NODE_EXTRA_CA_CERTS. NodeJS seems to pick up system certs.

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

Matching system behaviour, meaning getting ng serve to pick up system certs, would be really cool!

burner-account commented 3 days ago

There is test code in /tests/legacy-cli/e2e/tests/vite/ssr-with-ssl.ts#L50 which seems to use

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

to mitigate the described problem.

Setting process.env.NODE_TLS_REJECT_UNAUTHORIZED on top of server.ts seems not to work, but setting the env variable like NODE_TLS_REJECT_UNAUTHORIZED='0' ng serve ... does work.