Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest --use-system-ca when a certificate error occurs #57362

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Suggest --use-system-ca when a certificate error occurs #57362

wants to merge 1 commit into from
+34 −17

Conversation

Aditi-1400
Copy link
Contributor

This change appends a hint suggesting that if the root CA is installed locally, try running with the --use-system-ca flag.
For errors like UNABLE_TO_VERIFY_LEAF_SIGNATURE, DEPTH_ZERO_SELF_SIGNED_CERT, or UNABLE_TO_GET_ISSUER_CERT occur.
This change directs developers toward a secure solution — preventing them from using unsafe workarounds (e.g. disabling TLS verification entirely) that have been discussed in the threads online like the following:

Thanks @joyeecheung for the help :)

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Mar 7, 2025
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 7, 2025
@joyeecheung
Copy link
Member

Linter is complaining


ERROR: Please run:

  CLANG_FORMAT_START=$(git merge-base HEAD main) make format-cpp

to format the commits in your branch.

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 7, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65634/

@Aditi-1400 Aditi-1400 force-pushed the improve-error branch 3 times, most recently from 3847336 to f023b3e Compare March 7, 2025 17:24
jasnell
jasnell reviewed Mar 7, 2025
View reviewed changes
doc/api/tls.md Outdated
@@ -547,6 +547,12 @@ description are taken from deps/openssl/openssl/crypto/x509/x509_txt.c
* `'CERT_REJECTED'`: Certificate rejected.
* `'HOSTNAME_MISMATCH'`: Hostname mismatch.

Note: When certificate errors like `UNABLE_TO_VERIFY_LEAF_SIGNATURE`,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Note: When certificate errors like `UNABLE_TO_VERIFY_LEAF_SIGNATURE`,
When certificate errors like `UNABLE_TO_VERIFY_LEAF_SIGNATURE`,

jasnell
jasnell reviewed Mar 7, 2025
View reviewed changes
src/crypto/crypto_common.cc Outdated
Comment on lines 66 to 68
if (suggest_system_ca)
reason.append("; if the root CA is installed locally, "
"try running Node.js with --use-system-ca");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (suggest_system_ca)
reason.append("; if the root CA is installed locally, "
"try running Node.js with --use-system-ca");
if (suggest_system_ca) {
reason.append("; if the root CA is installed locally, "
"try running Node.js with --use-system-ca");
}

jasnell
jasnell reviewed Mar 7, 2025
View reviewed changes
test/parallel/test-tls-set-secure-context.js Outdated
Comment on lines 59 to 61
await assert.rejects(makeRequest(port, 3), (err) => {
assert.strictEqual(err.code, 'DEPTH_ZERO_SELF_SIGNED_CERT');
return true;
});
Copy link
Member

@jasnell jasnell Mar 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
await assert.rejects(makeRequest(port, 3), (err) => {
assert.strictEqual(err.code, 'DEPTH_ZERO_SELF_SIGNED_CERT');
return true;
});
await assert.rejects(makeRequest(port, 3), {
code: 'DEPTH_ZERO_SELF_SIGNED_CERT',
});

jasnell
jasnell reviewed Mar 7, 2025
View reviewed changes
test/parallel/test-tls-set-secure-context.js Outdated
Comment on lines 69 to 70
await assert.rejects(makeRequest(port, 3), (err) => {
assert.strictEqual(err.code, 'DEPTH_ZERO_SELF_SIGNED_CERT');
return true;
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
await assert.rejects(makeRequest(port, 3), (err) => {
assert.strictEqual(err.code, 'DEPTH_ZERO_SELF_SIGNED_CERT');
return true;
});
await assert.rejects(makeRequest(port, 3), {
code: 'DEPTH_ZERO_SELF_SIGNED_CERT',
});

@codecov Codecov
Copy link

codecov bot commented Mar 7, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.21%. Comparing base (a790901) to head (9a60c5e).
Report is 12 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #57362      +/-   ##
==========================================
- Coverage   90.21%   90.21%   -0.01%     
==========================================
  Files         630      630              
  Lines      185304   185315      +11     
  Branches    36266    36276      +10     
==========================================
+ Hits       167171   167178       +7     
- Misses      11084    11086       +2     
- Partials     7049     7051       +2
Files with missing lines Coverage Δ
src/crypto/crypto_common.cc 72.91% <100.00%> (+1.17%) ⬆️

... and 29 files with indirect coverage changes

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 8, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 8, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65641/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell left review comments

@anonrig anonrig anonrig approved these changes

@joyeecheung joyeecheung joyeecheung approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Aditi-1400 @nodejs-github-bot @joyeecheung @jasnell @anonrig