CA File

[curtisalexander]

I am unable to install packages due to the fact that my company is performing MITM attacks and I need to point to a custom cert. I'm aware of the recommended fix -- set the value
strict-ssl = false -- within my apmrc file; this recommendation works as suggested.

However, I would prefer to set the following option either in an npmrc file or if it were working an apmrc file.

cafile=/etc/ssl/certs/my-custom-ca-bundle.crt

Recommendations? Is this something that can be included in an apmrc file? If this can be set in an npmrc file, which one do I need to edit?

Thanks.

[kevinsawicki]

Is this something that can be included in an apmrc file?

I think it is though I've never tried to set a custom one.

If this can be set in an npmrc file, which one do I need to edit?

~/.atom/.apmrc

You can run apm config ls to verify which config settings it is picking up and from where.

[curtisalexander]

I have attempted to put the cafile option within the apmrc file but it does not work -- I continue to receive a 'CERT_UNTRUSTED' error whenever I attempt to install packages.

When I run apm config ls -l, I get the following:

C:\Users\calexander>apm config ls -l
; cli configs
globalconfig = "C:\\Users\\calexander\\.atom\\.apm\\.apmrc"
user-agent = "npm/2.5.1 node/v0.10.35 win32 ia32"
userconfig = "C:\\Users\\calexander\\.atom\\.apmrc"

; userconfig C:\Users\calexander\.atom\.apmrc
cafile = "C:\\cygwin64\\usr\\ssl\\certs\\ca-bundle.crt"

; globalconfig C:\Users\calexander\.atom\.apm\.apmrc
cache = "C:\\Users\\calexander\\.atom\\.apm"

; node bin location = C:\Users\calexander\AppData\Local\atom\app-0.190.0\resources\app\apm\bin\node.exe
; cwd = C:\Users\calexander
; HOME = C:\Users\calexander
; 'npm config ls -l' to show all defaults.

Obviously I am utilizing Windows. As such, I cannot run npm config ls -l to look at my global defaults. npm is not on my path currently (I don't have node or npm installed outside of atom) and I have tried editing multiple npmrc files I can find within C:\Users\calexander\AppData\Local\atom\app-0.190.0. I'm not certain where to go from here. Any help would be appreciated.

Thank you.

[kevinsawicki]

Can you include the full stack trace from the CERT_UNTRUSTED error?

[curtisalexander]

Forgive my ignorance -- from can I grab a full stack trace?

[kevinsawicki]

Forgive my ignorance -- from can I grab a full stack trace?

What is the full output when you run an apm install command that fails?

[curtisalexander]

Unfortunately, the error thrown doesn't appear to be helpful.

C:\Users\calexander>apm install vim-mode
Installing vim-mode to C:\Users\calexander\.atom\packages failed
Request for package information failed: CERT_UNTRUSTED

[kevinsawicki]

Unfortunately, the error thrown doesn't appear to be helpful.

It is, I was curious where it failed and the Request for package information failed line tells me, thanks!

[johnajames]

Has this issue ever been addressed? I am having the same problem.

[curtisalexander]

I haven't seen it addressed although it was marked as a bug. Looking through the code I don't think it would be that hard to update and submit a PR. Probably something I should have done originally.

[JPvRiel]

I would suggest the apm should leverage or use the OS certificate store as an option. E.g. on Linux it could be pointed to the respective /etc/pki (centos/fedora) or /etc/ssl/ (debian) cert CA files/folders, or windows, the certificate store, given custom certs and CAs for an organization are usually placed there.

[JPvRiel]

Edited: tought it worked, but it doesn't.

The ca-file option used by ~/.npmrc, should provide a work arround. The following ~/.atom/.apmrc example didn't work in the case where a corporate proxy with it's own issuing CA was added to the OS (Ubuntu/Debian) default CA file directory (as used by OpenSSL)

http-proxy = http://<your_proxy_host>:8080
https-proxy = http://<your_proxy_host>:8080
strict-ssl = true
ca-file = /etc/ssl/certs/ca-certificates.crt

Here's the error

$ apm search markdown
CERT_UNTRUSTED

I can confirm curl can happily use the ca-certifcates.crt file

$ curl --cacert /etc/ssl/certs/ca-certificates.crt https://atom.io/packages

It's still a pain that atom doesn't implicitly leverage the OS proxy env or CA files, but this probably thanks to relying node.js and npm bundling their own CA list and ignoring what's available from the OS? The internet is littered with posts complaining about CA cert issues with node.js/npm.

Logic to use OS specific trust stores / CA files for OSX, Windows, and other distros like RedHat CA file locations can be messy. Arguably, if atom supported repo's for popular distro's, the build scripts could add distro specific config defaults to make things less painful. E.g. .deb builds would work nicely with /etc/ssl/certs/ca-certificates.crt whereas .rpm might play better with /etc/pki/tls/... etc.

[tortuetorche]

👍 Same issue for me, my CA file doesn't seem to work.
My workaround is to add this in my ~/.atom/.apmrc file:

strict-ssl = false

But it isn't a really safe solution...

[corevo]

the cafile is only applicabale for the npm part of it, the apm code seems to ignore the setting,
we've ran into the same issue at my organization and decided to do what @tortuetorche did

[stephenwb]

FWIW if anyone still finds this 18+ mos. after the previous most recent comment, I fixed this for Atom 1.21.0 by appending the needed additional trusted (CA) certificates to /usr/share/atom/resources/app.asar.unpacked/node_modules/dugite/git/ssl/cacert.pem (Linux)
I found it by searching for *.pem in /usr/share/atom/resources so I suspect that you will likely find a cacert.pem file somewhere in your (platform-dependent) Atom installation root directory that you can modify

[anoxi]

I tried adding my cert in pem format to this file /usr/share/atom/resources/app.asar.unpacked/node_modules/dugite/git/ssl/cacert.pem, but it didn't work with atom 1.23.1:

$ apm install atom-beautify
Installing atom-beautify to /home/xxx/.atom/packages ✗
Request for package information failed: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE)

[anoxi]

As i had no ssl errors with node/npm, i'm now using the system installed nodejs with atom and it's working so far:

sudo apt install nodejs
cd /usr/share/atom/resources/app/apm/bin
sudo cp node node.bak
sudo ln -s /usr/bin/node node

Bundled node version: v6.9.5
System node version: v6.11.4
Does anyone know if its a problem to replace the bundled node file?

[stephenwb]

@anoxi Can you clarify your final status with adding your cert to 1.23.1? Based on the email history I got of your edits to your comment, you resolved your problem but your comment still appears to show that it doesn't work.

[anoxi]

Sorry for the edits, final status is adding the cert did not work but changing the node version resolved it for me.

[dragon788]

It may be that adding the internal cert to the ca-cert.pem file didn't work because you didn't have the entire trust chain (judging from the error). Sometimes when exporting from your browser you only get part of the trust chain leading to the Root CA. You may need to concatenate all the certificates in the chain to the pem file.

[anoxi]

I added the root ca which is also installed in /etc/ssl/certs and works system-wide. Is there a problem using the node version which is installed by the os?

[iWeslie]

just run /Applications/Python 3.6/Install Certificates.command if you installed Python3.6
python2 will not check the certificate but you should install the CA in python3+ manually in /Applications/Python3+

[JPvRiel]

This drove me nuts. apm config set cafile <path to ca> not working is the issue/bug. The setting works for npm, so a user would expect that apm honour it.

i'm now using the system installed nodejs with atom

As of atom 1.27.1, the above seems to be the only viable workaround... Thanks @anoxi. Unfortunately, that'll get clobbered every single time atom is updated?

Another root of the issue is that node itself hardcoded CA certs, but at least they provide cafile config to override it:

• node_root_certs.h
• Node uses an hardcoded list of certificate authorities
• please provide a way to use system-installed root certificates instead of bundled ones
• At least someone is trying to do the right thing crypto: use system CAs instead of bundled ones

Other workarounds seen so far don't play nice anymore.

I fixed this for Atom 1.21.0 by appending the needed additional trusted (CA) certificates to /usr/share/atom/resources/app.asar.unpacked/node_modules/dugite/git/ssl/cacert.pem

but it didn't work with atom 1.23.1:

@stephenwb, that was nice way to look into it. But alas, not working as noticed by @anoxi. I tried to find out more via strace looking for open() related system calls to pem or cert files, etc, but nothing obvious came up (other than showing node_modules/dugite/git/ssl/cacert.pem isn't opened). This was before I realized nodejs goes and hardcodes CAs!

$ strace -e open -f apm outdated &> apm_strace.txt
$ grep pem apm_strace.txt 
[pid  1287] open("/usr/share/atom/resources/app/apm/node_modules/sshpk/lib/formats/pem.js", O_RDONLY) = 9
[pid  1287] open("/usr/share/atom/resources/app/apm/node_modules/sshpk/lib/formats/x509-pem.js", O_RDONLY) = 9

For atom itself, I saw this:

$ strace -e open -f atom &> atom_strace.txt
$ grep cert atom_strace.txt 
[pid  3190] open("/home/a211278l/.pki/nssdb/cert9.db", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = 81
[pid  3289] open("/usr/share/atom/resources/app/apm/node_modules/sshpk/lib/certificate.js", O_RDONLY) = 24
...

Somehow, something seemed to be keen on using NSS. But adding a full CA trust chain to .pki/nssd via certutil didn't cut it either (besides, only atom opens that file, not apm, so maybe due to some plugin). So ignored that... not relevant to apm/npm.

In case anyone wants to compare what CAs are added/removed versus your own OS cert store, on debian/ubuntu, a quick and dirty way to diff (not that apm seems to use this .pem anymore, but it still hangs around).

diff <(openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -text -noout | grep -P '^\W*Subject: ' | sort -u) <(openssl crl2pkcs7 -nocrl -certfile /usr/share/atom/resources/app.asar.unpacked/node_modules/dugite/git/ssl/cacert.pem | openssl pkcs7 -print_certs -text -noout | grep -P '^\W*Subject: ' | sort -u)

just run /Applications/Python 3.6/Install Certificates.command

@iWeslie wondering how python is involved in this? Noticed some odd export npm_config_python="${binDir}/python-interceptor.sh" things in the apm script, but I still doubt apm using python has much to do with it? Also, clean npm doesn't seem to have that python interceptor part...

To double check, on my env, python worked fine (and unless python-interceptor.sh kills env vars when run via apm somehow, python cert setup isn't the issue)

$ echo $SSL_CERT_DIR 
/etc/ssl/certs
$ python2.7 -c "import requests; print(requests.get('https://atom.io').status_code)"
200
$ python3.5 -c "import requests; print(requests.get('https://atom.io').status_code)"

[anoxi]

Could the root for this issue be the old nodejs version 6.95? Nodejs supports only in newer versions (>=6.10) custom/system ca files.
Maybe someone could explain how apm and npm/nodejs handle the custom cafile setting together.

[anoxi]

As atom 1.32.1 comes with the newer node version 8.9.3, i tried to start it with the node enviroment variable NODE_EXTRA_CA_CERTS (see https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file) set to my system installed certificates and this works so far:
$ NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt atom

Now atom does not throw " unable to verify the first certificate" for me anymore and seems to load my system installed certificates.

This also works for apm:

$ NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt apm search markdown
(node:22411) Warning: Ignoring extra certs from `/etc/ssl/certs/ca-certificates.crt`, load failed: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

Search Results For 'markdown' (30)
...

I also tested the env variable SSL_CERT_FILE ( https://nodejs.org/api/cli.html#cli_ssl_cert_file_file) with the same positive results.

I couldn't find a solution to avoid the node warning "(node:22411) Warning: Ignoring extra certs", atom/apm seems to read the certificates file despite node reports "load failed".

[anoxi]

Unfortunately setting NODE_EXTRA_CA_CERTS does not work with atom 1.34, but works with apm.
My workaround now is to install the package "cert-tweaks" and in its settings enable "Emulate NODE_EXTRA_CA_CERTS functionality"