Correct path for NODE_EXTRA_CA_CERTS

Support
1

I am providing an intermediate certificate of a remote server through NODE_EXTRA_CA_CERTS.

When I do this locally, it works wonderfully by just prepending the node-scripts: "dev": "NODE_EXTRA_CA_CERTS='./certs/intermediate.pem' next dev",

On netlify, I created the environment variable NODE_EXTRA_CA_CERTS with the value of ./certs/intermediate.pem

But when I look into the logs of the serverless function which is making the fetch, I see the following warning:

Warning: Ignoring extra certs from ./certs/intermediate.pem, load failed: error:02001002:system library:fopen:No such file or directory

Does anyone have an idea, how the remote path to the certificate should look like to not being ignored?

2

Hi @HansKre

If you have a directory called certs in the root of the git repository you are building from which contains the certificate(s), then you could try

NODE_EXTRA_CA_CERTS = '/opt/build/repo/certs/intermediate.pem'

as /opt/build/repo is the base directory builds are run in. You can also use file based configuration e.g.

[build.environment]
  NODE_EXTRA_CA_CERTS = '/opt/build/repo/certs/intermediate.pem'

I haven’t tried so can’t say for certain if this will work.

3

Thank you, @coelmay !

It is exactly as you assume:
I have a directory called certs in the root of the git repository that I am building from and it contains the certificate(s).

I have setup NODE_EXTRA_CA_CERTS as you have suggested. Now I’m getting:

1:35:29 PM: Warning: Ignoring extra certs from `/opt/build/repo/certs/intermediate.pem`, load failed: error:02001002:system library:fopen:No such file or directory

Did I miss something?

4

That was probably my best guess :frowning:

The only topics I can find along these lines refer to using SSH not certificates, like [Support Guide] How do I access private repositories in the build environment? and [Support Guide] Using an SSH key via environment variable during build.

There is the possibility this isn’t possible. I can neither confirm nor deny. With luck a Support Engineer (or other community member) can provide a solid answer.

5

I did some debugging and it turns out that if using nextjs, netlify-functions would run in /var/task/nextPage/pages/api.

So I have moved certificate to pages/api/intermediate.pem and configured NODE_EXTRA_CA_CERTS as NODE_EXTRA_CA_CERTS = /var/task/nextPage/pages/api/intermediate.pem but it still doesn’t work for the same reason.

I also tried setting the permissions on the file:

sudo chown -R root certs
sudo chmod -R 644 certs/intermediate.pem

But that didn’t change anything either.

I tried to check read access:

    try {
      fs.accessSync(
        process.env.NODE_EXTRA_CA_CERTS as string,
        fs.constants.R_OK
      );
      console.log('can read');
    } catch (err) {
      console.error('no access!');
    }

And in the logs I get no access.

6

You are trying to access/use this certificate in a function?

In that case, you won’t want to use an environment variable. You will need to require it in the function so it is bundled with the function at build time. E.g.

const cert = require('./certifice.pem');

Where certificate.pem is in the same directory as the function requiring it.

(Note: I see in your original post you mention serverless function. Apologies.)

7

That sounds very promising. How would I then use it with fetch though?

8

Perhaps this might help: Client Side SSL in node.js with fetch. While it uses fs.readFileSync to read the file, it might still work with require.

Again I can only speculate as I don’t have anything that requires access as you are attempting so have not attempted.

9

Many thanks for all your help, @coelmay.
It looks like netxjs is not shipping the whole folder-content, so the certificate gets removed during build process (or not being shipped, depends on how you see it). So I don’t even get this approach to work in my local environment, unfortunately.

Regardless, thank you so much for all your effort!