distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

[proposal][node] Use system CA

Open sosoba opened this issue 2 months ago • 4 comments

Since its inception, nodejs has provided a built-in set of root certificates. Current versions of lines v22 and v24 allow to use system certificates:

docker run --rm -e NODE_USE_SYSTEM_CA=1 gcr.io/distroless/nodejs22-debian12 -e "console.log(await fetch('https://google.com').then(res=>res.statusText))"

OK

This works fine but the image size is increased by an unnecessary resource.

Would you consider building nodejs for the image without built-in certificates and with the setup of NODE_USE_SYSTEM_CA=1?

sosoba avatar Oct 23 '25 08:10 sosoba

oh yeah maybe. @omBratteng any thoughts?

loosebazooka avatar Oct 23 '25 19:10 loosebazooka

@sosoba just to understand, we're technically bundling two sets of CA "bundles"? One from the image and one embedded in nodejs binary?

omBratteng avatar Oct 25 '25 16:10 omBratteng

@sosoba just to understand, we're technically bundling two sets of CA "bundles"? One from the image and one embedded in nodejs binary?

In previous versions, Nodejs ignored system certificates and used the built-in "Mozilla" package. Additionally, by specifying the NODE_EXTRA_CA file, this set could be expanded to include the necessary private CA certificates.

In the current versions v20 and v22 a new functionality has been added - the use of operating system certificates instead of set built into the nodej binary file. This mode is activated by NODE_USE_SYSTEM_CA=1.

Currently, the Nodejs binary for the distroless image could be compiled without the Mozilla certificate set, which would reduce its size by about 2MB.

sosoba avatar Oct 26 '25 11:10 sosoba

That would require us to compile nodejs ourselves, which iirc we try not to do that and prefer to use upstream pre-compiled version, right @loosebazooka?

omBratteng avatar Oct 27 '25 12:10 omBratteng