CA File

[curtisalexander]

I am unable to install packages due to the fact that my company is performing MITM attacks and I need to point to a custom cert. I'm aware of the recommended fix -- set the value
strict-ssl = false -- within my apmrc file; this recommendation works as suggested.

However, I would prefer to set the following option either in an npmrc file or if it were working an apmrc file.

cafile=/etc/ssl/certs/my-custom-ca-bundle.crt

Recommendations? Is this something that can be included in an apmrc file? If this can be set in an npmrc file, which one do I need to edit?

Thanks.

[kevinsawicki]

Is this something that can be included in an apmrc file?

I think it is though I've never tried to set a custom one.

If this can be set in an npmrc file, which one do I need to edit?

~/.atom/.apmrc

You can run apm config ls to verify which config settings it is picking up and from where.

[curtisalexander]

I have attempted to put the cafile option within the apmrc file but it does not work -- I continue to receive a 'CERT_UNTRUSTED' error whenever I attempt to install packages.

When I run apm config ls -l, I get the following:

C:\Users\calexander>apm config ls -l
; cli configs
globalconfig = "C:\\Users\\calexander\\.atom\\.apm\\.apmrc"
user-agent = "npm/2.5.1 node/v0.10.35 win32 ia32"
userconfig = "C:\\Users\\calexander\\.atom\\.apmrc"

; userconfig C:\Users\calexander\.atom\.apmrc
cafile = "C:\\cygwin64\\usr\\ssl\\certs\\ca-bundle.crt"

; globalconfig C:\Users\calexander\.atom\.apm\.apmrc
cache = "C:\\Users\\calexander\\.atom\\.apm"

; node bin location = C:\Users\calexander\AppData\Local\atom\app-0.190.0\resources\app\apm\bin\node.exe
; cwd = C:\Users\calexander
; HOME = C:\Users\calexander
; 'npm config ls -l' to show all defaults.

Obviously I am utilizing Windows. As such, I cannot run npm config ls -l to look at my global defaults. npm is not on my path currently (I don't have node or npm installed outside of atom) and I have tried editing multiple npmrc files I can find within C:\Users\calexander\AppData\Local\atom\app-0.190.0. I'm not certain where to go from here. Any help would be appreciated.

Thank you.

[kevinsawicki]

Can you include the full stack trace from the CERT_UNTRUSTED error?

[curtisalexander]

Forgive my ignorance -- from can I grab a full stack trace?

[kevinsawicki]

Forgive my ignorance -- from can I grab a full stack trace?

What is the full output when you run an apm install command that fails?

[curtisalexander]

Unfortunately, the error thrown doesn't appear to be helpful.

C:\Users\calexander>apm install vim-mode
Installing vim-mode to C:\Users\calexander\.atom\packages failed
Request for package information failed: CERT_UNTRUSTED

[kevinsawicki]

Unfortunately, the error thrown doesn't appear to be helpful.

It is, I was curious where it failed and the Request for package information failed line tells me, thanks!

[johnajames]

Has this issue ever been addressed? I am having the same problem.

[curtisalexander]

I haven't seen it addressed although it was marked as a bug. Looking through the code I don't think it would be that hard to update and submit a PR. Probably something I should have done originally.

[JPvRiel]

I would suggest the apm should leverage or use the OS certificate store as an option. E.g. on Linux it could be pointed to the respective /etc/pki (centos/fedora) or /etc/ssl/ (debian) cert CA files/folders, or windows, the certificate store, given custom certs and CAs for an organization are usually placed there.

[JPvRiel]

Edited: tought it worked, but it doesn't.

The ca-file option used by ~/.npmrc, should provide a work arround. The following ~/.atom/.apmrc example didn't work in the case where a corporate proxy with it's own issuing CA was added to the OS (Ubuntu/Debian) default CA file directory (as used by OpenSSL)

http-proxy = http://<your_proxy_host>:8080
https-proxy = http://<your_proxy_host>:8080
strict-ssl = true
ca-file = /etc/ssl/certs/ca-certificates.crt

Here's the error

$ apm search markdown
CERT_UNTRUSTED

I can confirm curl can happily use the ca-certifcates.crt file

$ curl --cacert /etc/ssl/certs/ca-certificates.crt https://atom.io/packages

It's still a pain that atom doesn't implicitly leverage the OS proxy env or CA files, but this probably thanks to relying node.js and npm bundling their own CA list and ignoring what's available from the OS? The internet is littered with posts complaining about CA cert issues with node.js/npm.

Logic to use OS specific trust stores / CA files for OSX, Windows, and other distros like RedHat CA file locations can be messy. Arguably, if atom supported repo's for popular distro's, the build scripts could add distro specific config defaults to make things less painful. E.g. .deb builds would work nicely with /etc/ssl/certs/ca-certificates.crt whereas .rpm might play better with /etc/pki/tls/... etc.

[tortuetorche]

👍 Same issue for me, my CA file doesn't seem to work.
My workaround is to add this in my ~/.atom/.apmrc file:

strict-ssl = false

But it isn't a really safe solution...

[corevo]

the cafile is only applicabale for the npm part of it, the apm code seems to ignore the setting,
we've ran into the same issue at my organization and decided to do what @tortuetorche did