Allow adding private root certificate(s) to companion

[phillipivan]

Is this a feature relevant to companion itself, and not a module?

• I believe this to be a feature for companion, not a module

Is there an existing issue for this?

• I have searched the existing issues

Describe the feature

Many organisations have an internal certificate authority for generating SSL certs for use in house. To date, companion and its modules, can only validate SSL certs signed by a public CA, since it can not access any root certificates installed on the host, and validate the chain of trust.

Whilst this could be addressed at a module level, doing so upstream in companion should hopefully be a more efficient 'one and done' processes.

Usecases

Allow use of modules/protocols that use SSL (HTTPS etc) where the end point has a certificate signed by an internal CA.

See further discussion here and here.

Using secure protocols in networks that have no or limited internet access, etc.

[Julusian]

This should be possible by setting the NODE_EXTRA_CA_CERTS environment variable (https://nodejs.org/api/cli.html#node_extra_ca_certsfile) for the module processes.

[phillipivan]

Thanks Julian.

I know we discussed the possibility of this being done either at the application or module level. To me it makes more sense to be a 'one and done' job at the application level, since for a given site every impacted module would likely need the same certificates loaded.

Perhaps could even be set from in the Launcher window quite apart from the companion config?

[dnmeid]

I hit the same limitation when I wrote the AWJ module and I can remember we had a brief discussion about the options. I did evaluate how to use the OS specific certificate stores from Electron. It is doable that way but by the time I had different priorities.
I still think using the certificate store from the OS is the best way of accessing client certificates.

[phillipivan]

Agreed using the hosts certificate store is preferred if possible. Then in would be fairly transparent to the end user.

[Julusian]

I did evaluate how to use the OS specific certificate stores from Electron.

I guess a problem here now is that we aren't exactly electron anymore, so using anything electron will be hard. And last I checked (at work a month or two ago), electron doesn't use the main certificate store (on linux at least), and uses a chromium specific store.

---

I didn't write this on slack, but I did look into whether nodejs can use the system store, but apparently it can't. Or it could on macos and linux, but not on windows when started with a certain flag. So maybe that could be a half solution, but wouldn't solve everything.

So I think there are two options here:

• the low effort solution where we have something in the settings that allows for importing certificates, which we then propagate to modules via the NODE_EXTRA_CA_CERTS variable
• the high effort solution, which will need testing and possibly different implementations for each platform to read from the system store, perhaps also injecting them via the same variable.

---

Another thought; perhaps the full effort solution would be best achieved in the launcher layer, as that is electron so might be able to do things with the system stores better. With the main process of companion just relaying the variable.
For headless linux (eg companion-pi), the variable could probably be populated by the systemd unit, or launch script.

[phillipivan]

@Julusian do I recall reading that there is a plan to rewrite the launcher eventually?

Would you be willing to consider a two stage approach, where the low effort solution is implemented, and then long term the viability of a high effort solution is investigated with this planned rewrite?

Given this is has a considerable impact on what modules we can use (DDM, but also at least three others on my todo list) even a less user friendly low effort solution would make a world of difference.

[haakonnessjoen]

Is this something we can use for helping windows users maybe? https://www.npmjs.com/package/node-windows-root-certs