-
Notifications
You must be signed in to change notification settings - Fork 296
CA File #340
Comments
I think it is though I've never tried to set a custom one.
You can run |
I have attempted to put the cafile option within the apmrc file but it does not work -- I continue to receive a 'CERT_UNTRUSTED' error whenever I attempt to install packages. When I run
Obviously I am utilizing Windows. As such, I cannot run Thank you. |
Can you include the full stack trace from the |
Forgive my ignorance -- from can I grab a full stack trace? |
What is the full output when you run an |
Unfortunately, the error thrown doesn't appear to be helpful.
|
It is, I was curious where it failed and the |
Has this issue ever been addressed? I am having the same problem. |
I haven't seen it addressed although it was marked as a bug. Looking through the code I don't think it would be that hard to update and submit a PR. Probably something I should have done originally. |
I would suggest the apm should leverage or use the OS certificate store as an option. E.g. on Linux it could be pointed to the respective /etc/pki (centos/fedora) or /etc/ssl/ (debian) cert CA files/folders, or windows, the certificate store, given custom certs and CAs for an organization are usually placed there. |
Edited: tought it worked, but it doesn't. The
Here's the error
I can confirm curl can happily use the ca-certifcates.crt file
It's still a pain that atom doesn't implicitly leverage the OS proxy env or CA files, but this probably thanks to relying node.js and npm bundling their own CA list and ignoring what's available from the OS? The internet is littered with posts complaining about CA cert issues with node.js/npm. Logic to use OS specific trust stores / CA files for OSX, Windows, and other distros like RedHat CA file locations can be messy. Arguably, if atom supported repo's for popular distro's, the build scripts could add distro specific config defaults to make things less painful. E.g. .deb builds would work nicely with /etc/ssl/certs/ca-certificates.crt whereas .rpm might play better with /etc/pki/tls/... etc. |
👍 Same issue for me, my CA file doesn't seem to work.
But it isn't a really safe solution... |
the cafile is only applicabale for the npm part of it, the apm code seems to ignore the setting, |
FWIW if anyone still finds this 18+ mos. after the previous most recent comment, I fixed this for Atom 1.21.0 by appending the needed additional trusted (CA) certificates to |
I tried adding my cert in pem format to this file /usr/share/atom/resources/app.asar.unpacked/node_modules/dugite/git/ssl/cacert.pem, but it didn't work with atom 1.23.1:
|
As i had no ssl errors with node/npm, i'm now using the system installed nodejs with atom and it's working so far:
Bundled node version: v6.9.5 |
@anoxi Can you clarify your final status with adding your cert to 1.23.1? Based on the email history I got of your edits to your comment, you resolved your problem but your comment still appears to show that it doesn't work. |
Sorry for the edits, final status is adding the cert did not work but changing the node version resolved it for me. |
It may be that adding the internal cert to the ca-cert.pem file didn't work because you didn't have the entire trust chain (judging from the error). Sometimes when exporting from your browser you only get part of the trust chain leading to the Root CA. You may need to concatenate all the certificates in the chain to the pem file. |
I added the root ca which is also installed in /etc/ssl/certs and works system-wide. Is there a problem using the node version which is installed by the os? |
just run |
This drove me nuts.
As of atom Another root of the issue is that node itself hardcoded CA certs, but at least they provide
Other workarounds seen so far don't play nice anymore.
@stephenwb, that was nice way to look into it. But alas, not working as noticed by @anoxi. I tried to find out more via strace looking for
For atom itself, I saw this:
Somehow, something seemed to be keen on using NSS. But adding a full CA trust chain to In case anyone wants to compare what CAs are added/removed versus your own OS cert store, on debian/ubuntu, a quick and dirty way to diff (not that apm seems to use this .pem anymore, but it still hangs around).
@iWeslie wondering how python is involved in this? Noticed some odd To double check, on my env, python worked fine (and unless
|
Could the root for this issue be the old nodejs version 6.95? Nodejs supports only in newer versions (>=6.10) custom/system ca files. |
As atom 1.32.1 comes with the newer node version 8.9.3, i tried to start it with the node enviroment variable NODE_EXTRA_CA_CERTS (see https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file) set to my system installed certificates and this works so far: Now atom does not throw " unable to verify the first certificate" for me anymore and seems to load my system installed certificates. This also works for apm:
I also tested the env variable SSL_CERT_FILE ( https://nodejs.org/api/cli.html#cli_ssl_cert_file_file) with the same positive results. I couldn't find a solution to avoid the node warning "(node:22411) Warning: Ignoring extra certs", atom/apm seems to read the certificates file despite node reports "load failed". |
Unfortunately setting NODE_EXTRA_CA_CERTS does not work with atom 1.34, but works with apm. |
I am unable to install packages due to the fact that my company is performing MITM attacks and I need to point to a custom cert. I'm aware of the recommended fix -- set the value
strict-ssl = false -- within my apmrc file; this recommendation works as suggested.
However, I would prefer to set the following option either in an npmrc file or if it were working an apmrc file.
Recommendations? Is this something that can be included in an apmrc file? If this can be set in an npmrc file, which one do I need to edit?
Thanks.
The text was updated successfully, but these errors were encountered: