arcgis-rest-js icon indicating copy to clipboard operation
arcgis-rest-js copied to clipboard

Published 20 hours ago verified publisher icon Esri

self signed certificate in certificate chain

Open b00tsy opened this issue 2 years ago • 3 comments

I need to access arcGIS services which use our own enterprise pki, which currently result in self signed certificate in certificate chain errors.

When working with plain node requests (or libraries such as axios etc.) it's possible to define the expected certification authority via the ca option of the http agent.

A similar issue #289 solved that by overriding the files of this library, which rather is a hack to solve the issue instead of a long term solution that solves such problems for everyone. In other issues I've read comments about that you're thinking of adding the option to customize the http agent. Is that still a plan or is it maybe already implemented and I haven't found it?

b00tsy avatar May 18 '22 11:05 b00tsy

Long term the goal is to use the native fetch() in both Node and the brwoser which is powered by Undici fetch(). Looking at the Unidci docs I don't see a way to define any certificates in those options in Node. In Unidci it looks like you migth be able to do this https://stackoverflow.com/a/71946886.

A good way to move this forward would be to build an example that works with just fetch() from Node/Undici and a version using fetch() from node-fetch@3.

Long term the goal of this library is to align with the standard fetch() in browsers (which we already do) and Nodes built-in fetch() which is currently node-fetch@3 but will almost certainly be the built in fetch() in the future. When Node exposes a way to do this then we will make it compatible but for now the landscape is still shifting so there isn't a permanent solution. https://github.com/nodejs/node/issues/43187

patrickarlt avatar Aug 15 '22 22:08 patrickarlt

Looks like the tls options of the Client class can take more parameters ( https://github.com/nodejs/undici/issues/842#issuecomment-869217884 ) which in this case is for client certificate authentication. But if you can do this I assume you can also pass a custom ca option to get the client talk to enterprise pki...

BananaGlue avatar Aug 16 '22 06:08 BananaGlue

@BananaGlue it looks like https://github.com/nodejs/undici/issues/842#issuecomment-869217884 implemented custom certs for the Client class, however from reading the doc and tests I cant see a way to get that into the global fetch() method which is what we want to use.

patrickarlt avatar Aug 16 '22 16:08 patrickarlt