Julusian
commented
3 months ago This should be possible by setting the NODE_EXTRA_CA_CERTS environment variable (https://nodejs.org/api/cli.html#node_extra_ca_certsfile) for the module processes.
Open phillipivan opened 3 months ago
Julusian
commented
3 months ago This should be possible by setting the NODE_EXTRA_CA_CERTS environment variable (https://nodejs.org/api/cli.html#node_extra_ca_certsfile) for the module processes.
phillipivan
commented
3 months ago Thanks Julian.
I know we discussed the possibility of this being done either at the application or module level. To me it makes more sense to be a 'one and done' job at the application level, since for a given site every impacted module would likely need the same certificates loaded.
Perhaps could even be set from in the Launcher window quite apart from the companion config?
dnmeid
commented
3 months ago I hit the same limitation when I wrote the AWJ module and I can remember we had a brief discussion about the options. I did evaluate how to use the OS specific certificate stores from Electron. It is doable that way but by the time I had different priorities. I still think using the certificate store from the OS is the best way of accessing client certificates.
phillipivan
commented
3 months ago Agreed using the hosts certificate store is preferred if possible. Then in would be fairly transparent to the end user.
Julusian
commented
3 months ago I did evaluate how to use the OS specific certificate stores from Electron.
I guess a problem here now is that we aren't exactly electron anymore, so using anything electron will be hard. And last I checked (at work a month or two ago), electron doesn't use the main certificate store (on linux at least), and uses a chromium specific store.
I didn't write this on slack, but I did look into whether nodejs can use the system store, but apparently it can't. Or it could on macos and linux, but not on windows when started with a certain flag. So maybe that could be a half solution, but wouldn't solve everything.
So I think there are two options here:
NODE_EXTRA_CA_CERTS variableAnother thought; perhaps the full effort solution would be best achieved in the launcher layer, as that is electron so might be able to do things with the system stores better. With the main process of companion just relaying the variable.
For headless linux (eg companion-pi), the variable could probably be populated by the systemd unit, or launch script.
phillipivan
commented
3 months ago @Julusian do I recall reading that there is a plan to rewrite the launcher eventually?
Would you be willing to consider a two stage approach, where the low effort solution is implemented, and then long term the viability of a high effort solution is investigated with this planned rewrite?
Given this is has a considerable impact on what modules we can use (DDM, but also at least three others on my todo list) even a less user friendly low effort solution would make a world of difference.
haakonnessjoen
commented
2 months ago Is this something we can use for helping windows users maybe? https://www.npmjs.com/package/node-windows-root-certs
Is this a feature relevant to companion itself, and not a module?
Is there an existing issue for this?
Describe the feature
Many organisations have an internal certificate authority for generating SSL certs for use in house. To date, companion and its modules, can only validate SSL certs signed by a public CA, since it can not access any root certificates installed on the host, and validate the chain of trust.
Whilst this could be addressed at a module level, doing so upstream in companion should hopefully be a more efficient 'one and done' processes.
Usecases
Allow use of modules/protocols that use SSL (HTTPS etc) where the end point has a certificate signed by an internal CA.
See further discussion here and here.
Using secure protocols in networks that have no or limited internet access, etc.