After core update 3.22.1, node container is not able to fetch with https from drupal container on mac

[vermario]

Hello!

We maintain this starterkit for Drupal and next.js: https://github.com/wunderio/next-drupal-starterkit

And we have been using lando with it for a long time. After the latest update, our node service is not able to fetch from our Drupal service anymore using https. We get this error:

TypeError: fetch failed
    at node:internal/deps/undici/undici:12344:11
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  cause: Error: unable to verify the first certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
      at TLSSocket.emit (node:events:518:28)
      at TLSSocket.emit (node:domain:488:12)
      at TLSSocket._finishInit (node:_tls_wrap:1085:8)
      at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:871:12) {
    code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
  }
}

I saw in the list of commits that the latest release for core had some changes in the handling of certificates, and also the mac prompted for my password to do changes to the certificates settings when installing the update.

This is the lando file: https://github.com/wunderio/next-drupal-starterkit/blob/main/.lando.yml Node version is: v.20.11.0

[vermario]

I am able to continue working with the project by adding this env var to our node service:

        NODE_TLS_REJECT_UNAUTHORIZED: 0

But that's not great practice, and it does seem that something's up with the SSL configuration in this new version.

[vermario]

to try and debug this, I:

1. logged into the node container with lando exec node -- bash
2. ran this command: openssl s_client -connect next-drupal-starterkit.lndo.site:443 (that is the url of the drupal site, that I am able to reach via the browser no problem) This is the result:

openssl s_client -connect next-drupal-starterkit.lndo.site:443
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = next-drupal-starterkit.lndo.site, O = Lando System
   i:CN = Lando Development CA, C = US, ST = California, L = Oakland, O = Lando Development CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/zCCAuegAwIBAgIFOTY0NzcwDQYJKoZIhvcNAQELBQAwcjEdMBsGA1UEAxMU
TGFuZG8gRGV2ZWxvcG1lbnQgQ0ExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR0wGwYDVQQKExRMYW5kbyBEZXZlbG9w
bWVudCBDQTAeFw0yNDEwMTUwNTIzMjNaFw0yNTEwMTUwNTIzMjNaMEIxKTAnBgNV
BAMTIG5leHQtZHJ1cGFsLXN0YXJ0ZXJraXQubG5kby5zaXRlMRUwEwYDVQQKEwxM
YW5kbyBTeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvvTo2
Pti62iRnnpSwg3SVw/PkwtsvXA45PxGwLONvtn4oSq6lX0/FguDi/IRhIitJJ+kc
G6fRZxlaVjB8HMuIibmjvLVx4Kl+NE7PVD3HltvtrkNUWa5qQ+8HePbzKuq3xnTg
SAedoB4ae8iaZjOHWvxUaQlaCfGv704mu4BuyUukHVgiJkB7TfzY2QhaghYtsaLp
jeTMiOe0vaO2DmKjbpfp29FUQ3gkEWaJRYkfp8Kx/HvNrg97jDn7v4WacVeg4oF7
oq9m9Su8tkkDk8KCXzBFYz6Cz36vSj+2bHGM3CabDSv6biLMX4R3+rWJLEAlnG43
rF0cFdQiZKU11seJAgMBAAGjgcswgcgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGIBgNVHREEgYAw
foIgbmV4dC1kcnVwYWwtc3RhcnRlcmtpdC5sbmRvLnNpdGWCCWxvY2FsaG9zdIIt
YXBwc2VydmVyX25naW54Lm5leHRkcnVwYWxzdGFydGVya2l0LmludGVybmFsgg9h
cHBzZXJ2ZXJfbmdpbniHBH8AAAGCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOC
AQEAcriOci2ERXqGOj5tAcId/dhVwOgFkmzKAHlNRR1gpWDEittMADJr0zZ1/tEP
bUfVK+pNFxCBhlofjOx5rYHWbAH/soVz40Xhe+iu3lV85QtoRac4Fqo7UfmcS7Vu
19SwYiUOO7c5HBFffqq9NDg5OuplPrbnsSSUkCjQw0RX0vqsXTO9uY1ri4OadIEp
9Quoy0n/bZWlfm4CorZvdsGIs3GfDJ2xb2/YHguIJNYqRe9dlO9reWj6r/SeypMk
BPO9VqpCYqnsdl1A0TLvs2OKesQq+PoAMtAODH3OhgRfWkQYyhORaZ5jd3Da4asX
77VdQX5A5YkkYQZqa6RDXCSHcw==
-----END CERTIFICATE-----
subject=CN = next-drupal-starterkit.lndo.site, O = Lando System

issuer=CN = Lando Development CA, C = US, ST = California, L = Oakland, O = Lando Development CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1583 bytes and written 404 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CA3AFA9E678969300D0B2AC584D4E253775C5950C40080E1B1242195FB79EECB
    Session-ID-ctx: 
    Resumption PSK: 6441D92D75D8C34EDFE911C61AFF061826B1CB54A913A35289857500102F0FD5D6DC8FCC4AB7CE7374F64BC14D776592
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 06 60 36 df 86 45 a6 12-4a 24 cc be 45 ee 51 ff   .`6..E..J$..E.Q.
    0010 - c5 0e 8c 10 96 79 e1 82-f0 e0 4c 6b 5f 5e 37 04   .....y....Lk_^7.
    0020 - ec 78 8e 37 2e 73 65 cd-a5 ef 38 2a d6 09 70 66   .x.7.se...8*..pf
    0030 - d6 2a 19 d8 12 75 08 06-05 60 62 77 18 18 16 14   .*...u...`bw....
    0040 - ed 8d b9 d8 44 7b 13 29-c8 08 d1 05 99 85 a6 1a   ....D{.)........
    0050 - d5 b1 cd 08 6c cb fb 70-7c 69 f5 1e 91 8b 0b 27   ....l..p|i.....'
    0060 - c6 76 04 8f 13 54 4d ae-b2 fd cf 46 93 4b 22 59   .v...TM....F.K"Y
    0070 - b7 61 dc 13 34 e6 69 0c-c0 9b 56 5b 77 35 e3 08   .a..4.i...V[w5..
    0080 - 8d                                                .

    Start Time: 1728973011
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Notice that HTTP/1.1 400 Bad Request ?

[vermario]

We found that adding this ENV var to the node service:

NODE_OPTIONS: --use-openssl-ca

Allows it to work again, so we are adding it. Maybe it's useful for other people if they start seeing this issue as well.

[tormi]

Another way to resolve this is to define the NODE_EXTRA_CA_CERTS envvar and map it to LANDO_CA_CERT value internally.

services:
  node:
    overrides:
      environment:
        NODE_EXTRA_CA_CERTS: /lando/certs/LandoCA.crt