Allow certificate path to be configured in config.json

[giwleb]

Issue Summary

Getting a self-signed cert error. Our company "injects" a TLS cert into the chain and decrypts all traffic. I suspect there might be something I can put in the config file mentioned (like wget's --no-check-certificate option). I did check around but I don't see the config file options.

Steps to Reproduce

Add a self-signed cert to your certificate path

In the CLI

twilio api:verify:v2:services:verifications:create --service-sid VA... --to +13... --channel sms --custom-friendly-name "test1234" -l debug

Technical details:

twilio-cli/2.21.0 win32-x64 node-v15.14.0

• Command output with debug logging enabled (adding -l debug to the end of the command):

  [DEBUG] Config File: C:\Users\olmsu1e9.twilio-cli\config.json
  [DEBUG] Using profile: ${TWILIO_API_KEY}/${TWILIO_API_SECRET}
  [DEBUG] Schema for "service-sid": {"maxLength":34,"minLength":34,"pattern":"^VA[0-9a-fA-F]{32}$","type":"string"}
  [DEBUG] Schema for "to": {"description":"The phone number or [email](https://www.twilio.com/docs/verify/email) to verify. Phone numbers must be in [E.164 format](https://www.twilio.com/docs/glossary/what-e164).","type":"string"}
  [DEBUG] Schema for "channel": {"description":"The verification method to use. Can be: [email](https://www.twilio.com/docs/verify/email), sms or call.","type":"string"}
  [DEBUG] Schema for "custom-friendly-name": {"description":"A custom user defined friendly name that overwrites the existing one in the verification message","type":"string"}
  [DEBUG] Provided flags: {"service-sid":"VA...","to":"+13...","channel":"sms","custom-friendly-name":"test1234","cli-log-level":"debug","properties":"sid,to,channel,status,valid,dateCreated","skip-parameter-validation":false,"cli-output-format":"columns"}
  [DEBUG] domainName=verify, path=/v2/Services/{ServiceSid}/Verifications, actionName=create
  [DEBUG] pathNode=ServiceSid, value=VA...
  [DEBUG] -- BEGIN Twilio API Request --
  [DEBUG] post https://verify.twilio.com/v2/Services/VA.../Verifications
  [DEBUG] Form data:
  [DEBUG] Channel=sms&CustomFriendlyName=test1234&To=%2B13...
  [DEBUG] Custom HTTP Headers:
  [DEBUG] User-Agent: @twilio/cli-core/5.21.0 (twilio-api-client/5.21.0, node.js v15.14.0, win32 10.0.19042 x64, api:verify:v2:services:verifications:create)
  [DEBUG] -- END Twilio API Request --
  [DEBUG] Found command "api:verify:v2:services:verifications:create" plugin: twilio-cli
  » twilio-cli encountered an unexpected error. To report this issue, execute the command with the "-l debug" flag, then copy the output to a new issue here: "https://github.com/twilio/twilio-cli/issues"
  [DEBUG] self signed certificate in certificate chain
  [DEBUG] Error: self signed certificate in certificate chain
  at TLSSocket.onConnectSecure (node:_tls_wrap:1532:34)
  at TLSSocket.emit (node:events:369:20)
  at TLSSocket._finishInit (node:_tls_wrap:946:8)
  at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:720:12)

[thinkingserious]

Hello @giwleb,

Thank you for taking the time to report this!

It looks like the issue is with your self signed certificate, perhaps the solution offered here may help. Please let us know your results. Thanks!

With best regards,

Elmer

[giwleb]

Thanks. What I've learned is that unless your app uses the internal Windows cert store, you need to add the cert at the "app level". For example, I had to tell Firefox to use the Windows cert store via a configuration item. I'm not sure how to do that here. Running Node on Windows. I don't know specifically how node and openSSL work under the hood on Windows. I'm hoping you can help there.

For npm, for example, I had to run:

npm config set cafile d:\files\ca-chain-bba-fw.pem

[thinkingserious]

Thank you for the follow up!

I do not have experience with the configuration you describe. A search for "install app certificates node windows" seems to yield some promising results. Please do let us know how you end up solving this issue, if possible. Thank you!

[giwleb]

I have to admit I'm a bit disappointed in your response. Just because you don't have experience doesn't mean it's not something worth investigating. Also your search, which I've done, doesn't reveal clear paths to success.

[giwleb]

After some poking around, and without implementing anything that is a glaring security hole (env NODE_TLS_REJECT_UNAUTHORIZED=0), I went with env NODE_EXTRA_CA_CERTS=c:\path\to\cert.pem.

This did work, but is there a way to migrate this to the config.json file?

Something like:

{
    "tls":
    {
        "extraCaCerts":
        [
            {"path": "c:\path\to\cert.pem"}
        ]
    }
}

[giwleb]

Any thoughts @childish-sambino @thinkingserious ?

[thinkingserious]

Hello @giwleb,

Thank you for the follow up and taking the time to share your solution!

What advantages do you see moving this configuration to the config.json file? What if we included instructions on how to set the proper environment variable in the error you received and include instructions in the README or other appropriate place? (e.g. "[DEBUG] Error: self signed certificate in certificate chain" becomes "[DEBUG] Error: self signed certificate in certificate chain, please see X link to resolve."

With best regards,

Elmer

[giwleb]

@thinkingserious It doesn't matter much for me, but I can think one: it seems to be how other projects have implemented it, to allow for more granular control of the certificate chain. The method I used is a global setting and applies to all Node-based apps you run. That might not be what you want, or when developing you might want a way to do it for just this app.

Is it a hard thing to do?

[thinkingserious]

@giwleb,

Great point about needed to modify your global settings, not ideal. I'm not sure what the difficulty would be to make that change just yet. I have re-classified this issue for further investigation.

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

Thanks again for reporting and the follow up!