Open dagda1 opened 3 years ago
I'm not sure I understand the problem. If we did the work to generate a certificate chain, what would it look like, and how would node TLS be able to verify it without adding an extra CA to the NODE_EXTRA_CA_CERTS
variable?
I thought the problem was that node never looks at system certificate authorities, but only at those that it comes bundled with.
I thought the problem was that node never looks at system certificate authorities, but only at those that it comes bundled with.
This is correct, node uses a hardcoded list of certificate authorities.
I created the issue to check we are happy that setting NODE_EXTRA_CA_CERTS
is the best way of handling this.
Dealing with self-signed SSL certificates for localhost development is a tricky business. We also want to leave the door open to allow users to point to
real
SSL certificates if, for example, a simulator is running in the cloud.We have currently left in a short term solution of using the node environment variable
NODE_EXTRA_CA_CERTS
to point to the CA cert but this is not a good long term solution.NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem" mocha -r ts-node/register --timeout 10000 test/**/*.test.ts"
This is bad because it implies the user has used
mkcert
to install their certs.The self-signed certificates need to be trusted in 2 main scenarios so far:
Both are slightly different and have different challenges for localhost development.
In the case of the
auth0
simulator and when dealing with SPAs that use such trickery as webworkers and hidden iframes then the SSL needs to be trusted or else the browser will (with good reason) disable new-age voodoo tools like webworkers.For node, the SSL and TLS packages need to be able to ascertain a full chain of trust from the certificate back to the local CA self-signed cert.
We have used
mkcert
which for the most part has worked and covers off the browser case quite nicely.It does not cover the node case as it does not create a full chain or an intermediary certificate, see this issue for background.
This leaves us with the following options
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
which is a nuclear approach to just tell node to ignore all certificate issues. As bad as this seems, it does have benefit of being simple and we are dealing with a fake simulator so do we really need it to be totally real?NODE_EXTRA_CA_CERTS
where appropriateopenssl
that behave as normal. here is a good post about certificate chains.We also need to be able to configure a simulator to point to other certs when not running in localhost.