Error when using w/ enterprise github + self signed certificate

[grekko]

Hi everyone, I'd like to use your cli for a project where we use github enterprise and a self signed certificate. Trying to setup gh throws the following error:

$ gh pr --verbose
DEBUG: ENOENT: no such file or directory, open '/Users/c5242900/scm/profile/webapp/.gh.json'
DEBUG: ENOENT: no such file or directory, open '/Users/c5242900/scm/profile/webapp/.gh.json'
First we need authorization to use GitHub's API. Login with your GitHub account.
? Enter your GitHub user ****
? Enter your GitHub password ****

{ [Error: unable to get local issuer certificate]
  defaultMessage: 'Internal Server Error',
  message: 'unable to get local issuer certificate',
  code: '500' }

I did not find any config option to disable the certificate check. Do you already provide such a config?

[henvic]

Hi @grekko,

We don't provide an option to disable the certificate check. Please note we rely on a dependency (npm: github) [that does not does it as well].

Your best option is to use a Let's Encrypt certificate instead of a self-signed certificate on your GitHub Enterprise setup. It is free, simple, automated, and works pretty well. By the way, you should always use a public-available domain name for your HTTPS servers (even when your server is not publicly available).

A second option would be adding your self-signed certificate as a CA on your operating system. I don't recommend that for good reason, though.

I think the only issue with the current behavior is that the feedback is not good enough.

[grekko]

Hi @henvic, thanks for the quick reply. Unfortunately I am not able to change the certificate myself but I agree that a valid certificate would be the best option here. I'll try to convince some people.

IMHO it would be great if you state that you explicitly do not support self-signed certificates when such an error occurs.

[henvic]

@grekko, Have you already reached whoever is responsible for that to ask for a proper HTTPS setting?

If so, please tell me what was the feedback. I can try to help you with it by writing something on the README and improving the error message (this is why I am reopening).

Meanwhile, it seems you can edit /usr/local/bin/gh to add process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; just before require('../lib/cmd.js').run(); AT YOUR OWN RISK and I, my employees, or anyone else can assume no responsibility for any destruction of data, earthquakes, ovni attacks, or terminations caused by such inappropriate, dangerous, and reckless adventurous hack.

[grekko]

@henvic Nope. I havent reached out to the people in charge yet. Also I doubt that I am able to move things forward in that area.

Do you know any way to provide the ROOT CA certificate of the self-signed certificate for a proper certificate validation to the underlying github package?

[henvic]

@grekko, I haven't tried it. But you can always try to find where the HTTPS request is being made and see node's API to see how you can allow a custom certificate.

An easier solution (that might be a more appropriate workaround, given that you might have this same issue in other places -- and as long as you trust the people who have added this CA - what you shouldn't do, no matter if they are lovely and great coworkers - they're not in the business of ROOT CAs) would be to add it system-wide (that depends on your system, on OS X you can do it on Keychain).

[grekko]

@henvic I'll be back in the office tomorrow afternoon and will report if this fixes the issue.

[grekko]

@henvic I added the CA but still experience the same response message. I actually found another solution for my problem and will pursue that way.

Thanks for your time and support. I'll close the ticket since my original issue is resolved.