using nodejs Self Signed Certificate runs indefinetly

[begrs]

The best practice to add a dev self signed certificate and a https web api (Asp.net Core UseHttpRedirect) is to add the environment variable NODE_EXTRA_CA_CERTS pointing to the certificate file in the PEM format.

in the package.json scripts section we use (for Windows):

"gen-api": "set NODE_EXTRA_CA_CERTS=%INIT_CWD%\\api-dev.cer && set NODE_EXTRA_CA_CERTS && ng-openapi-gen --config ng-openapi-gen.json"

This finds the certificate (as it throws an error if it cannot find it) and starts the ng-openapi-gen, however the process will never terminate and keep consuming resources.

Log of 'npm run gen-api':

> foamkit-fe@0.0.0 gen-api C:\Users\...\Documents\...\proejctDir
> set NODE_EXTRA_CA_CERTS=%INIT_CWD%\api-dev.cer && set NODE_EXTRA_CA_CERTS && ng-openapi-gen --config ng-openapi-gen.json

NODE_EXTRA_CA_CERTS=C:\Users\...\Documents\...\proejctDir\api-dev.cer
(node:10716) DeprecationWarning: ArgumentParser(): following options are renamed: 'addHelp' -> 'add_help'
(Use `node --trace-deprecation ...` to show where the warning was created)
(node:10716) DeprecationWarning: The "version" argument to ArgumentParser is deprecated. Please use add_argument(..., { 
action: 'version', version: 'N', ... }) instead.
(node:10716) DeprecationWarning: _ActionsContainer.addArgument() is renamed to _ActionsContainer.add_argument()
(node:10716) DeprecationWarning: add_argument(): following options are renamed: 'defaultValue' -> 'default'
(node:10716) DeprecationWarning: use add_argument('-c', '--config', {...}) instead of add_argument([ '-c', '--config' ], { ... })
(node:10716) DeprecationWarning: ArgumentParser.parseArgs() is renamed to ArgumentParser.parse_args()

ng-openapi-gen.json:

{
    "$schema": "./node_modules/ng-openapi-gen/ng-openapi-gen-schema.json",
    "input": "https://localhost:44306/swagger/v1/swagger.json",
    "output": "src/app/gen/api",
    "ignoreUnusedModels": true,
    "defaultTag": "Api",
    "removeStaleFiles": true,
    "modelIndex": true,
    "serviceIndex": true,
    "apiModule": true,
    "skipJsonSuffix": true
}

[luisfpg]

Never used it, and would need a hand on digging into this.

[begrs]

Here is the documentation: https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

The use case is as follows: While developing a webApi with a corresponding client a self signed certificate is used to certify the api e.g. for https://localhost:someport . This is automatically generate by multiple tools. The template for an Asp.net Core project for example has such a certificate out of the box and used UseHttpsRedirect to redirect any client capable of https to the correct https address even if they initially target the http address. The self signed certificate is then added to the System wide keystore e.g. the Windwos Certificate Manager. From then on the certificate acts exactly the same as a real one would - which is important for any signing and verification steps.

ng-openapi-gen uses the typical nodejs way of making http(s) requests to the swagger/openapi3 endpoint to generate the api. In some cases the host redirects the client call to https, in others https is the direct target from the get go. This uses nodejs's built in https verification of the certificate and makes the ng-openapi-gen command fail, as nodejs does not trust self signed certificates. (It is possible to allow self signed certificates all through nodejs, but this as severe security concerns and is highly discouraged by multiple sources including nodejs documentation itself) Nodejs does not use system specific certificate store, but rather the openSSL one built into it. The only way to add a certificate there and also the referred to solution by the nodejs docu is to add NODE_EXTRA_CA_CERTS as an environment variable (introduced in node v7.3.0 for exactly that purpose) containing the address to the certificate file in PEM format.

Kind regards

[begrs]

Sooo, I am now working on the next project and this is a huge issue again ... The documentation moved slightly to https://nodejs.org/api/cli.html#node_extra_ca_certsfile The workaround is incredibly tedious to setup for all colleges correctly (using a proxy) because we work from different environments and have different routes to the same api. Please look into it soon, it is the recommended approach to do it as all other workarounds except for the proxy are a security risk even when working with a local api - which is why we can't use any of them because of legal constraints of the involved companies.

bump

[TheRealGI]

Hey @begrs,

I tried to replicate your issue. I set up a express.js Server which I bind to a certificate I created and exposed a simple GET endpoint which returns a OAPI spec. I used your script and ng-openapi-gen.json in another project and I had no problem with it. I tested it with the ng-openapi-gen versions: 0.15.0, 0.17.2 and 0.23.0.

[luisfpg]

Closing for lack of activity