Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lhci/cli errors when using self-signed certificates in lhci server #365

Closed
Helmut-Onna opened this issue Jul 2, 2020 · 3 comments
Closed
Labels
needs-more-info question Further information is requested

Comments

@Helmut-Onna
Copy link

Helmut-Onna commented Jul 2, 2020

TL;DR: lhci/cli won't complete the wizard due to self-signed cert in the lhci server

Steps:

  1. deploy lhci-server in k8s, add ingress with self signed cert for "lhci.mycompany.com"
  2. verify web page is up, asks to run wizard (https works fine, as machine trusts ca)
  3. in linux machine install @lhci/cli@0.4.x
  4. Attempt to create new project with wizard:
lhci wizard
? Which wizard do you want to run? new-project
? What is the URL of your LHCI server? https://lhci.mycompany.com/
? What would you like to name the project? w01
? Where is the project's code hosted? https://github.com/mycompany/myrepo
? What branch is considered the repo's trunk or main branch? master
FetchError: request to https://lhci.mycompany.com/v1/projects failed, reason: self signed certificate in certificate chain
    at ClientRequest.<anonymous> (/usr/lib/node_modules/@lhci/cli/node_modules/node-fetch/index.js:133:11)
    at ClientRequest.emit (events.js:315:20)
    at TLSSocket.socketErrorListener (_http_client.js:426:9)
    at TLSSocket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:92:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

I tried different options I found online. Change the setting, run wizard, next... but all returned the same error:

  • Add ca to OS trusted repo (cp ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates)
  • Add ca to node config npm config set ca ca.crt, npm config set ca ca.crt -g
  • Remove node ca setting npm config set ca ''
  • Modify node strict-ssl npm config set strict-ssl=false

Docker image used: docker.io/patrickhulce/lhci-server:0.4.2
Node version installed on linux client: v12.18.2
note: using node 12.x to match the lhci-server:0.4.2 image.

Is there a way to make lhci/cli trust my self-signed certificates?
Thanks!

@patrickhulce
Copy link
Collaborator

Have you already tried node's export NODE_TLS_REJECT_UNAUTHORIZED='0' environment variable?

I would've also expected npm config set strict-ssl=false to work if you're running the wizard through an npm script rather than lhci directly.

@patrickhulce patrickhulce added needs-more-info question Further information is requested labels Jul 2, 2020
@Helmut-Onna
Copy link
Author

Helmut-Onna commented Jul 2, 2020

That one worked :)

export NODE_TLS_REJECT_UNAUTHORIZED='0'
lhci wizard
...
? What branch is considered the repo's trunk or main branch? master
(node:1124) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
Created project test01 (3e4ea8e6-7ca1-4aea-8033-e101f7a48ca1)!

Is there a way to make lhci cli trust the ca cert?
As I mentioned in the opening post, the Linux machine already trusts the self signed CA (quick test: curl https://lhci.mycompany.com without -k).
I guess lhci (or npm?) are not using the same ca store as the OS.

@patrickhulce
Copy link
Collaborator

I guess lhci (or npm?) are not using the same ca store as the OS.

There's nothing special about Lighthouse CI not trusting the certificate, it's node in general that uses a hardcoded list of approved CAs.

Have you already tried using the NODE_EXTRA_CA_CERTS environment variable?

Either way glad you got it working! We're not going to be adding anything in LHCI to workaround this for the wizard case, so I'm going to go ahead and close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-more-info question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants