Trust the system root CA certificates

[FranklinYu]

Do you want to request a feature or report a bug?
Feature

For most operating system there is a system trust store to store root CA certificates. In Linux that is managed by OpenSSL; in macOS it is Keychain; in Windows it is the system trust store managed by CertMgr. In many corporation, the system trust stores of computers are managed by Group Policy or some similar product. This way new root certificate can be deployed by administrator centrally. Currently if I want Yarn to trust internal Git source with HTTPS protocol, I need the cafile option, and I need to duplicate the entire trust store because this option overrides default trust store. It would be awesome if Yarn automatically trust the root CA certificates in system trust store.

It can be opt-in. Also I know nothing about internal implementation of Yarn; if this is deferred to npm internally, I would instead report this to npm.

[FranklinYu]

I assume that most users complaining in #841 (maybe even #6199) would benefit from this feature. Node.js already did something similar in nodejs/node#3159.

[Kielan]

For those developers who are unfamiliar with how the cafile option can be used to trust the Keychain CA Certs how is this done on yarn install @FranklinYu ?

[FranklinYu]

@Kielan It’s the same as NPM; place the CA bundle in your local filesystem, and set cafile to its path.

[nbarbettini]

This seems like a much better solution to what most users are running into in #841. Disabling SSL checks makes me sad.

@FranklinYu @kaylie-alexa Any idea when this might be available?

[FranklinYu]

@nbarbettini It’s not up to me to decide, and I have no idea whether this would even be implemented. @kaylie-alexa doesn’t seem interested, neither do other Yarn team members. I have just created a similar feature request to NPM and let’s see which team cares more about this.

I’m currently working in security, and most people don’t care about security. This is the reality. I myself don’t really care, otherwise I would have spent weeks to make a PR myself.

[Daniel15]

Does Node.js not do this out of the box? Some investigation as to what other Node.js apps do would be appreciated here 😃

[FranklinYu]

@Daniel15 Node.js currently supports system OpenSSL bundle, but not Windows CertMgr or macOS Keychain. See nodejs/node#3159 I referred above.

[Daniel15]

To me, it seems like it'd be better to change this in Node.js itself, rather than doing something special in Yarn specifically...

[FranklinYu]

@Daniel15 Is Yarn using the Node.js TLS package? If so, setting environment variable NODE_OPTIONS=--use-openssl-ca should do the trick. I’ll check this in Linux when I’m available.

[Daniel15]

Yarn uses whatever version of Node.js you have installed.

[cben]

Works for me on Fedora linux with or without NODE_OPTIONS=--use-openssl-ca.
Like many linux distros, Fedora builds Node defaulting to that, as distros like centralized way to update trusted CAs for all apps).

The critical trick is not setting ca or cafile in any way. Not in any .yarnrc, not in .npmrc, not by npm_config_cafile env var. (Use yarn config list to confirm the configuration in effect.)
If you set ca or cafile, yarn passes explicit TLS config to Node, overriding the defaults — so only the CA(s) you provided will be trusted.

Instead, if you want to add a trusted cert on top of the system's CAs, I believe NODE_EXTRA_CA_CERTS env var will help (untested, as the cert I needed was already in the system's trust).

[FranklinYu]

I can think of following major Linux distributions (or distribution families):

• RedHat (Fedora)
• Debian
• Arch Linux
• Alpine Linux

If we confirm that all of them are using this option we can close this issue. Thanks for @cben to verify for Fedora (although https://src.fedoraproject.org rejected my access right now for reason unknown). nodejs/node#8334 (comment) seems to imply that Alpine Linux is also using this.

_{Note: although this only covers Linux, Node.js people don’t seem interested in using macOS Keychain or Windows CertMgr, and I have lost interest in chasing for that. (I left the company using Windows as developing platform; I’m not using Windows as my personal developing machine.)}

[commonquail]

Instead, if you want to add a trusted cert on top of the system's CAs, I believe NODE_EXTRA_CA_CERTS env var will help (untested, as the cert I needed was already in the system's trust).

I can confirm that this works. Given dyarn:

#!/bin/sh
docker run \
    --init \
    --rm \
    --interactive \
    --tty \
    --user node \
    --env http_proxy="$http_proxy" \
    --env https_proxy="$https_proxy" \
    --env NPM_CONFIG_PREFIX=/home/node/.npm-global \
    --volume "$PWD:/home/node/app" \
    --workdir /home/node/app \
    node:14 \
    yarn \
    "$@"

execution fails:

$ dyarn install
yarn install v1.22.5
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/d3-brush/-/d3-brush-1.1.5.tgz: unable to get local issuer certificate".
info If you think this is a bug, please open a bug report with the information provided in "/home/node/app/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

After adding

    --env NODE_EXTRA_CA_CERTS=/cert \
    --volume "$HOME/Documents/certs/corp-ca.crt:/cert:ro" \

it works:

$ dyarn install
yarn install v1.22.5
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
Done in 22.40s.

Note that the path must be a file, not a directory. The documentation's use of "certificates", plural, likely refers to bundled certificates in the same file.

[jraby]

* [x]  Alpine Linux

<...> nodejs/node#8334 (comment) seems to imply that Alpine Linux is also using this.

While pkgs from alpine might have the NODE_OPTIONS=--use-openssl-ca, it seems like alpine nodejs docker images do not have this option:

• https://github.com/nodejs/docker-node/blob/main/16/alpine3.17/Dockerfile#L21
• https://github.com/nodejs/unofficial-builds/blob/main/recipes/musl/run.sh