Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli option to configure add cerificate authority for SSR fetch requests #28833

Closed
burner-account opened this issue Nov 10, 2024 · 5 comments
Closed
Labels
needs: repro steps We cannot reproduce the issue with the information given

Comments

@burner-account
Copy link

burner-account commented Nov 10, 2024

Command

serve

Description

Hi there!

If your SSR HttpClient (withFetch()) currently requests data server side from an API that uses TLS signed by a custom CA you may receive a UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

While the compiled SSR application runs fine with node dist/yada/server/server.mjs, using ng serve to start the application will produce the mentioned error. node probably works fine because it uses the system CAs(?). But ng serve seems to have its own idea about root CAs.

Describe the solution you'd like

If i am not ignorant to "the obvious and usual way to solve this", could this please be considered as something to be solved via CLI options?
Or ng serve maybe could be taught to obey NODE_EXTRA_CA_CERTS?

Thank you!

Describe alternatives you've considered

  • I tried to convince ng serve with the NODE_EXTRA_CA_CERTS environment variable - no success.
  • Writing to https.globalAgent.options.ca did not solve the problem.
@dgp1130
Copy link
Collaborator

dgp1130 commented Nov 11, 2024

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

@burner-account
Copy link
Author

burner-account commented Nov 12, 2024

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

If i run the compiled SSR app manually via node dist/projectname/server/server.mjs everything is perfectly fine. I have installed the custom CA certificate chain as a system-wide root certificate. I do not provide NODE_EXTRA_CA_CERTS. NodeJS seems to pick up system certs.

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

Matching system behaviour, meaning getting ng serve to pick up system certs, would be really cool!

@burner-account
Copy link
Author

burner-account commented Nov 12, 2024

There is test code in /tests/legacy-cli/e2e/tests/vite/ssr-with-ssl.ts#L50 which seems to use

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

to mitigate the described problem.

Setting process.env.NODE_TLS_REJECT_UNAUTHORIZED on top of server.ts seems not to work, but setting the env variable like
NODE_TLS_REJECT_UNAUTHORIZED='0' ng serve ... does work.

@alan-agius4
Copy link
Collaborator

I'm having trouble fully understanding the problem description. When running ng serve, are you using your own generated certificates, or the self-signed certificates that are automatically generated?

ng serve launches a Node process, so as long as the NODE_EXTRA_CA_CERTS environment variable is properly configured, it should be recognized.

If the problem persists I suggest to provide a minimal reproduction that we can take a look at.

@alan-agius4 alan-agius4 added needs: repro steps We cannot reproduce the issue with the information given and removed type: bug/fix area: @angular/ssr labels Nov 20, 2024
@alan-agius4
Copy link
Collaborator

Thanks for reporting this issue. However, you didn't provide sufficient information for us to understand and reproduce the problem. Please check out our submission guidelines to understand why we can't act on issues that are lacking important information.

If the problem persists, please file a new issue and ensure you provide all of the required information when filling out the issue template.

@alan-agius4 alan-agius4 closed this as not planned Won't fix, can't repro, duplicate, stale Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs: repro steps We cannot reproduce the issue with the information given
Projects
None yet
Development

No branches or pull requests

3 participants