Add a guide on self-signed certs

[eseidelGoogle]

There are enough corporate setups out there were machines are expected to have a custom self-signed corporate cert and then send all traffic through a proxy so that https can be decrypted/inspected. Dart/Flutter don't play nice with these setups by default, but they're common enough that we should probably document how to work around this.

See dart-lang/sdk#25615 (comment)
dart-lang/pub#1882 as examples of requests.

[eseidelGoogle]

I believe the known workaround (see comment links above) is to manually invoke pub (instead of using flutter packages and include:

DART_VM_OPTIONS=--root-certs-file=some_file pub get

[larelb]

I was able to get this working in Windows behind a corporate setup using a custom self-signed certificate.

1. Set a new environment variable as variable name: DART_VM_OPTIONS and variable value: --root-certs-file=some_file (some_file = C:/certs/cert.pem)

2. Be sure to restart PowerShell or the Command Prompt for changes to reflect.

3. Now run "flutter packages get" in the flutter app's directory.

I'm not sure if this was optional, but I also added the ...flutter\bin\cache\dart-sdk\bin to the Windows Path variable before I did all of this.

[jamespet77]

Is it possible to accomplish this in a mobile dev enviro. Android / iOS app?

[smokinguns]

@eseidelGoogle
Flutter users should run flutter packages get instead of pub get.

I believe the known workaround (see comment links above) is to manually invoke pub (instead of using flutter packages and include:

DART_VM_OPTIONS=--root-certs-file=some_file pub get

perhaps i'm not following but running pub on a flutter application yields Flutter users should run flutter packages getinstead ofpub get.

[irides]

@larelb

I was able to get this working in Windows behind a corporate setup using a custom self-signed certificate.

I tried to generate a self-signed certificate but still got 'TLS error'.
Could you please show me how to generate this self-signed certificate? Or maybe where to get this file?

Thx.

[miltonfajardo]

@eseidelGoogle
Flutter users should run flutter packages get instead of pub get.

I believe the known workaround (see comment links above) is to manually invoke pub (instead of using flutter packages and include:

DART_VM_OPTIONS=--root-certs-file=some_file pub get

perhaps i'm not following but running pub on a flutter application yields Flutter users should run flutter packages getinstead ofpub get.

For me on Windows:

set DART_VM_OPTIONS=--root-certs-file=c:\cert\Certifica.crt
flutter upgrade

[kiran-cmyk]

@eseidelGoogle
Flutter users should run flutter packages get instead of pub get.

I believe the known workaround (see comment links above) is to manually invoke pub (instead of using flutter packages and include:

DART_VM_OPTIONS=--root-certs-file=some_file pub get

perhaps i'm not following but running pub on a flutter application yields Flutter users should run flutter packages getinstead ofpub get.

Hi @eseidelGoogle, I am behind corporate firewall and I have tried setting the DART_VM_OPTIONS.
My environment variable looks like below.

--root-certs-file="path_to_cert_file/cert.pem"

Please let me know where should i add "flutter packages get" command? Should it be part of DART_VM_OPTIONS environment variable?

[eseidelGoogle]

FYI @zanderso for tooling triage.

[zanderso]

Filed flutter/flutter#56607 to try to make this a bit smoother on the tooling side.

[nishantgoel1311]

I was able to get this working in Windows behind a corporate setup using a custom self-signed certificate.

1. Set a new environment variable as variable name: DART_VM_OPTIONS and variable value: --root-certs-file=some_file (some_file = C:/certs/cert.pem)
2. Be sure to restart PowerShell or the Command Prompt for changes to reflect.
3. Now run "flutter packages get" in the flutter app's directory.

I'm not sure if this was optional, but I also added the ...flutter\bin\cache\dart-sdk\bin to the Windows Path variable before I did all of this.

This works for me, that last line is imp. So do add flutter\bin\cache\dart-sdk\bin in windows path

[rockerhieu]

I was able to get this working in Windows behind a corporate setup using a custom self-signed certificate.

1. Set a new environment variable as variable name: DART_VM_OPTIONS and variable value: --root-certs-file=some_file (some_file = C:/certs/cert.pem)
2. Be sure to restart PowerShell or the Command Prompt for changes to reflect.
3. Now run "flutter packages get" in the flutter app's directory.

I'm not sure if this was optional, but I also added the ...flutter\bin\cache\dart-sdk\bin to the Windows Path variable before I did all of this.

This works for me, that last line is imp. So do add flutter\bin\cache\dart-sdk\bin in windows path

DART_VM_OPTIONS doesn't seem to work for me. If I have it point to a pem file, the command will be freeze at Building flutter tool... (the same without DART_VM_OPTIONS).

But if I have it point to a cer file, I'll get a crash:

si_signo=Segmentation fault(11), si_code=1, si_addr=0x10
version=2.8.2 (stable) (Mon May 11 15:06:42 2020 +0200) on "linux_x64"
pid=263, thread=269, isolate=main(0x1e825e0)
isolate_instructions=7f5e585ab000, vm_instructions=161cba0
Stack dump aborted because InitialRegisterCheck failed.
/home/developer/sdks/flutter/bin/flutter: line 42:   263 Aborted                 (core dumped) "$PUB" upgrade "$VERBOSITY" --no-precompile
Error: Unable to 'pub upgrade' flutter tool. Retrying in five seconds... (1 tries left)

[pastapareo]

I was able to get this working in Windows behind a corporate setup using a custom self-signed certificate.

1. Set a new environment variable as variable name: DART_VM_OPTIONS and variable value: --root-certs-file=some_file (some_file = C:/certs/cert.pem)
2. Be sure to restart PowerShell or the Command Prompt for changes to reflect.
3. Now run "flutter packages get" in the flutter app's directory.

I'm not sure if this was optional, but I also added the ...flutter\bin\cache\dart-sdk\bin to the Windows Path variable before I did all of this.

Followed this and got this error when running flutter packages get

C:\Dev\Repo\mobile\flutter>flutter packages get
/C:/ca.cer:1:1: Error: Expected a declaration, but got '--'.
-----BEGIN CERTIFICATE-----
^^
/C:/ca.cer:4:1: Error: Expected ';' after this.
k/IsZAEZFgVtaXN5czEYMBYGA1UEAxMPVUsxVlNXQ0VSVDAxLUNBMB4XDTIwMDgx
^
Running "flutter pub get" in flutter...
pub get failed (254; ^)

[nehuenKC]

i have correctly the DART_VM_OPTIONS in the environment variables. But still complains that the certificate is self-signed

[   +3 ms] IO  : HTTP error:
[   +1 ms]     | HandshakeException: Handshake error in client (OS Error:
[   +2 ms]     |        CERTIFICATE_VERIFY_FAILED: self signed certificate in certificate
chain(../../third_party/boringssl/src/ssl/handshake.cc:354))

Any work around?

[thdoan]

I have the same issue as reported by @rockerhieu. Steps I took:

1. Went to https://pub.dartlang.org/
2. Clicked on lock icon and selected Certificate
3. Went to Details tab
4. Clicked Copy to File, then Next
5. Selected Base-64 encoded X.509, then Next
6. Saved file as C:\certs\flutter.pem
7. Added user environment variable DART_VM_OPTIONS=--root-certs-file=C:\certs\flutter.pem
8. Restarted console
9. Executed flutter doctor
10. Got "Error: Unable to 'pub upgrade' flutter tool. Retrying in five seconds..." loop

I'm on Windows 10 and have tried the steps above in both CMD and Git Bash with no luck.

[SiddharthGadekar]

Hello Everyone,

I have followed the same steps as mentioned by thdoan in his comment (except I exported certificate as DER and converted to PEM). I am getting the following error when running the flutter doctor command or any other flutter commands :

Got TLS error trying to find package node_preamble at https://pub.dartlang.org.
pub get failed (server unavailable) - attempting retry 1 in 1 second.

My organisation is using Zscaler as a proxy and Palo alto as a firewall. I have configured the proxy in environment variables along with the DART VM Options variable. Is there some configuration required at Palo alto as well?

[jonasfj]

@SiddharthGadekar, generally you should install the certificate from your proxy on your system (assuming windows).

You might want to try 2.14.0-90.0.dev (if on windows) and see if that works (context).