Node.js app resources added with AddNpmApp/AddNodeApp fail to fetch content from ASP.NET Core apps over HTTPS

DamianEdwards commented 7 months ago

The AspireWithNode sample is failing after updating to preview.5 due to Node.js' internal fetch() stack rejecting self-signed certificates by default, even if they're trusted by the host (in this case Windows). I believe this is because Node.js statically links OpenSSL rather than call through the host's crypto stack.

Some options to workaround (from Bing Chat) follow. If we wanted to apply one of these automatically in development when AddNpmApp or AddNodeApp is called, the most specific option appears to be exporting the ASP.NET Core HTTPS dev cert (public key only) and then setting the NODE_EXTRA_CA_CERTS environment variable on the Node.js app:

When working with Node.js and making HTTP requests using the Fetch API, you might encounter issues related to self-signed certificates. Self-signed certificates are often used for testing purposes or in private intranet services. Here are some approaches to handle self-signed certificates in Node.js:

Ignoring SSL Verification (Not Recommended):
- You can disable SSL verification altogether by setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to 0. However, this approach is not recommended because it disables SSL verification for all requests, making your application vulnerable to security risks.
- Example:
```
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
```

Using a Custom Agent:

Create a custom HTTPS agent with the rejectUnauthorized option set to false. This approach allows you to selectively ignore SSL verification for specific requests while still validating other certificates.

Example:

const fetch = require('node-fetch');
const https = require('https');

const httpsAgent = new https.Agent({ rejectUnauthorized: false });

const response = await fetch(url, {
    method: 'POST',
    headers: headers,
    body: body,
    agent: httpsAgent,
});

Monkey Patching the tls Module:
- You can monkey-patch the tls module to support self-signed certificates with custom root certificate authorities (CAs). This approach allows you to append extra root CAs to the default list.
- Example:
```
const tls = require('tls');
const secureContext = tls.createSecureContext();
secureContext.context.addCACert(`-----BEGIN CERTIFICATE-----\n...`);
```
Using Environment Variables:
- Set the NODE_EXTRA_CA_CERTS environment variable to the path of a file containing additional root certificates in PEM format. Node.js will add these certificates to its list of hardcoded certificates.
- Example:
```
NODE_EXTRA_CA_CERTS=./rootCA.crt node server.js
```

If you're testing locally or in a controlled environment, proceed with caution and choose the most appropriate method based on your use case. 🛡️🔒

DamianEdwards commented 7 months ago

More detail on this, RE sending to the OTLP endpoint from a Node.js app over HTTPS, it seems the gRpc stack for Node.js doesn't support a flag to disable cert verification. Instead they recommend that the CA file for the self-signed cert blob is passed explicitly when initializing the channel credentials (see https://github.com/grpc/grpc-node/issues/160).

afscrome commented 6 months ago

In environments where your company deploys a TLS inspection appliance, users may already have many of these environment variables set. Aspire should make sure to add to the existing configuration, rather than overwrite it completely.

dotnet / aspire

Node.js app resources added with AddNpmApp/AddNodeApp fail to fetch content from ASP.NET Core apps over HTTPS #3324