grammarly icon indicating copy to clipboard operation
grammarly copied to clipboard

Published 20 hours ago verified publisher icon znck

Use extra/self-signed https certificates

Open ianldgs opened this issue 2 years ago • 10 comments

Users behind corporate firewall typically have custom certificates used by the company to decrypt HTTPS traffic.

NodeJS will by default complain about those "self-signed" certificates and not perform the requests.

One workaround is to disable TLS completely for NodeJS, which is obviously dangerours or to export an environment variable on the bashrc/zshrc pointing to the custom certificates that you know to be safe: https://nodejs.org/api/cli.html#node_extra_ca_certsfile

The latter doesn't work with this extension, likely for one of those reasons given in the NodeJS docs:

  • Neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.
  • This environment variable is ignored when node runs as setuid root or has Linux file capabilities set.

So, to use this extension in such corporate environments without disabling TLS completely, have to manually read those files and inject them into the global HTTPS agent. That will mimic NodeJS's default behaviour.

Closes #243

ianldgs avatar Jun 08 '22 10:06 ianldgs

⚠️ No Changeset found

Latest commit: 68f5603eb5ee1fe7dfb84792dfa6acacd91964db

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

changeset-bot[bot] avatar Jun 08 '22 10:06 changeset-bot[bot]

@znck think you could review this PR pls?

ianldgs avatar Jun 13 '22 13:06 ianldgs

I am not sure what's happening here.

/cc @wachunga

znck avatar Jun 17 '22 19:06 znck

@znck sorry about that, I should've written a good description. Please take a look again?

ianldgs avatar Jun 21 '22 13:06 ianldgs

@znck friendly ping... I see github bot closed the issue as stale.

ianldgs avatar Jul 15 '22 08:07 ianldgs

I'll get this merged this week.

znck avatar Jul 20 '22 19:07 znck

Is there an easy way to test this?

znck avatar Jul 26 '22 01:07 znck

Well, it's easy for me to test because I'm behind the company's firewall/vpn. Maybe you could try following this, if you're on a mac.

And then what I did was:

test-certs.mjs:

import "./extra-certs.mjs";
import fetch from "node-fetch";

fetch("https://js.grammarly.com/grammarly-sdk");

extra-certs.mjs:

import https from "node:https";
import tls from "node:tls";
import fs from "node:fs";

if (typeof process.env.NODE_EXTRA_CA_CERTS === "string") {
  const extraCerts = process.env.NODE_EXTRA_CA_CERTS.split(",").map((certPath) =>
    fs.readFileSync(certPath, "utf8")
  );

  https.globalAgent.options.ca = [...tls.rootCertificates, ...extraCerts];
}

And run:

export NODE_EXTRA_CA_CERTS="/path/to/cert.pem" node test-certs.mjs

ianldgs avatar Aug 05 '22 07:08 ianldgs

Just pinging this space to see what the latest update is

haydencbarnes avatar Dec 20 '22 07:12 haydencbarnes

Hello, is there any way I can help to get this merged? :)

papb avatar Feb 14 '23 18:02 papb