node_extra_ca_certs_mozilla_bundle

node_extra_ca_certs_mozilla_bundle

If you are trying to connect to a secure website via nodejs. Although, the site may work in the browser, you may run into errors such as

CERT_UNTRUSTED

UNABLE_TO_VERIFY_LEAF_SIGNATURE

Unable to verify the first certificate

It may be due to a couple of reasons. The Root CA certificate is missing in nodejs Or the site does not correctly install the intermediate certificates.

Typically you encounter these at the last minute, and usually, the server is not in your control; hence you cannot modify the certificate installation, and it is challenging to change code at that time.

Node js added an Environment variable to address this issue:

NODE_EXTRA_CA_CERTS

When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates in file. The file should consist of one or more trusted certificates in PEM format.

NOTE: This environment variable is ignored when node runs as setuid root or has Linux file capabilities set.

However, it is cumbersome to create the PEM file for missing certificates manually and it can be a security issue if untrusted certificates are accidentally included.

This module is designed to make all SSL sites that work with Mozilla Browser compatible with your nodejs script.

It downloads and creates a PEM file from https://www.ccadb.org/resources (Common CA Database) used by Mozilla

• https://wiki.mozilla.org/CA/Included_Certificates
• https://wiki.mozilla.org/CA/Intermediate_Certificates

It generates three different bundles that can be used based on your needs:

• Intermediate certificates only bundle ca_intermediate_bundle.pem
• Root only certificates bundle ca_root_bundle.pem
• Intermediate and Root certificates bundle ca_intermediate_root_bundle.pem

You can use any of the above bundles with NODE_EXTRA_CA_CERTS.

To install:

npm install --save node_extra_ca_certs_mozilla_bundle

During the installation of the module, it downloads the latest certificates from the Mozilla database and builds the PEM file in node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle folder.

You can launch your script while using the above certificates using:

NODE_EXTRA_CA_CERTS=node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem node your_script.js

for Windows use:

npx cross-env NODE_EXTRA_CA_CERTS=node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem node your_script.js

To use the PEM file in code

This is useful when you want to run as root or listen on privilege port like 80. Since in those situations the above environment variable does not work.

const fs = require('fs');
const https = require('https');
https.globalAgent.options.ca = fs.readFileSync('node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem');

To include your custom PEM certificates in code along with this file

If you want to include your custom certificate and still want to connect to other SSL endpoints, you can concat the custom certificate with the generated bundle and use it.

const fs = require('fs');
const https = require('https');
https.globalAgent.options.ca = yourCertificatePEMcontent + fs.readFileSync('node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem');