lhci/cli errors when using self-signed certificates in lhci server

[Helmut-Onna]

TL;DR: lhci/cli won't complete the wizard due to self-signed cert in the lhci server

Steps:

1. deploy lhci-server in k8s, add ingress with self signed cert for "lhci.mycompany.com"
2. verify web page is up, asks to run wizard (https works fine, as machine trusts ca)
3. in linux machine install @lhci/cli@0.4.x
4. Attempt to create new project with wizard:

lhci wizard
? Which wizard do you want to run? new-project
? What is the URL of your LHCI server? https://lhci.mycompany.com/
? What would you like to name the project? w01
? Where is the project's code hosted? https://github.com/mycompany/myrepo
? What branch is considered the repo's trunk or main branch? master
FetchError: request to https://lhci.mycompany.com/v1/projects failed, reason: self signed certificate in certificate chain
    at ClientRequest.<anonymous> (/usr/lib/node_modules/@lhci/cli/node_modules/node-fetch/index.js:133:11)
    at ClientRequest.emit (events.js:315:20)
    at TLSSocket.socketErrorListener (_http_client.js:426:9)
    at TLSSocket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:92:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

I tried different options I found online. Change the setting, run wizard, next... but all returned the same error:

• Add ca to OS trusted repo (cp ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates)
• Add ca to node config npm config set ca ca.crt, npm config set ca ca.crt -g
• Remove node ca setting npm config set ca ''
• Modify node strict-ssl npm config set strict-ssl=false

Docker image used: docker.io/patrickhulce/lhci-server:0.4.2
Node version installed on linux client: v12.18.2
note: using node 12.x to match the lhci-server:0.4.2 image.

Is there a way to make lhci/cli trust my self-signed certificates?
Thanks!

[patrickhulce]

Have you already tried node's export NODE_TLS_REJECT_UNAUTHORIZED='0' environment variable?

I would've also expected npm config set strict-ssl=false to work if you're running the wizard through an npm script rather than lhci directly.

[Helmut-Onna]

That one worked :)

export NODE_TLS_REJECT_UNAUTHORIZED='0'
lhci wizard
...
? What branch is considered the repo's trunk or main branch? master
(node:1124) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
Created project test01 (3e4ea8e6-7ca1-4aea-8033-e101f7a48ca1)!

Is there a way to make lhci cli trust the ca cert?
As I mentioned in the opening post, the Linux machine already trusts the self signed CA (quick test: curl https://lhci.mycompany.com without -k).
I guess lhci (or npm?) are not using the same ca store as the OS.

[patrickhulce]

I guess lhci (or npm?) are not using the same ca store as the OS.

There's nothing special about Lighthouse CI not trusting the certificate, it's node in general that uses a hardcoded list of approved CAs.

Have you already tried using the NODE_EXTRA_CA_CERTS environment variable?

Either way glad you got it working! We're not going to be adding anything in LHCI to workaround this for the wizard case, so I'm going to go ahead and close this issue.