Closed isotherm closed 1 year ago
If you pass --ignore-certificate-errors
Electron will just dump SSL errors in the console and continue loading the page. Definitely not a solution, but it can come in handy.
Node.js apparently has a special env variable to add custom certs (NODE_EXTRA_CA_CERTS
), but Electron does not respect it. This is the issue with a workaround to make that work: https://github.com/electron/electron/issues/10257.
I re-adapted the code in the issue linked and pushed a branch: https://github.com/gm-vm/openfortivpn-webview/tree/extra_ca_certs. I could not test it yet, I applied the change blindly.
If you want, you can try to build the app yourself following these instructions.
Once you have done that you can quickly test it with (do note the extra --
):
npm start myvpnhost -- --extra-ca-certs "/some/path"
I did a quick test using https://untrusted-root.badssl.com/ and couldn't make it work with the workaround, so I switched to the certificate-error
event to handle things manually.
This let me load the page without issues (badssl-com.pem
is the untrusted CA).
npm start -- --url 'https://untrusted-root.badssl.com/' --extra-ca-certs badssl-com.pem
I wanted to use the workaround because my assumption was that it would simply extend the set of certificates. This simply checks that the certificate belongs to the list of certificates provided with --extra-ca-certs
.
Maybe I should also check that error
is equal to net::ERR_CERT_AUTHORITY_INVALID
.
I verified that this works against a real server, using the full certificate chain. Thank you for looking into this and getting it resolved so promptly!
I get the below error because I do not have the Fortinet CA root certificate installed system-wide.
Although installing the certificate system-wide is supposed to work, I do not want to do that as that would potentially permit the VPN appliance to monitor my traffic via MitM (which is one of the features of Fortigate).
I know nothing about Electron. The ideal thing would be if I could add a trusted certificate just for the embedded instance of Chromium, or if this app could catch the certificate error and do something reasonable. Maybe this could help: https://www.electronjs.org/docs/latest/api/app/#event-certificate-error
Or is there any other way to work around this in the mean time?