NODE_EXTRA_CA_CERTS cannot be set in code or relative

[sheerun]

• Version:
  v9.11.1
• Platform:
  Darwin sheerun.dev 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64 i386 MacBookPro12,1 Darwin

When I start my server with

NODE_EXTRA_CA_CERTS=/Users/sheerun/Source/Ada/search/.certs/ca.crt bin/start

and in code make request to http server that serves with given certificate, all is good

But when I set it at the beginning of bin/start as so:

process.env.NODE_EXTRA_CA_CERTS = "/Users/sheerun/Source/Ada/search/.certs/ca.crt"

then node complains that there's "self signed certificate in certificate chain".

Particularly NODE_EXTRA_CA_CERTS doesn't work when I use dotenv package and set NODE_EXTRA_CA_CERTS in .env file.

Also, it seems NODE_EXTRA_CA_CERTS doesn't allow relative path, just absolute.

I think both of these issues should be addressed or at least documented with reasons why.

[bnoordhuis]

Pull request welcome.

process.env.NODE_EXTRA_CA_CERTS

Not reliable because the extra certificates are loaded only once.

it seems NODE_EXTRA_CA_CERTS doesn't allow relative path, just absolute.

Relative paths should work.

[sheerun]

Not reliable because the extra certificates are loaded only once.

It would be nice if they were loaded only once but lazily, not before any code is executed in node. This way packages like dotenv would work because the recommendation is to run them at the very beginning. Possibly it could also speedup startup of node a bit.

[sheerun]

Also in #20434 you say that it is loaded lazily but it doesn't seem so unless node makes http requests I don't know about before first line of code is executed. Probably it is instantiated when some not yet started http server is instantiated, but I think it would be better to load certificates when it's actually needed (server starts, http request, tls function is executed).

Ideally you'd expose a function for reloading these..

Also my use case: setting up development environment with https self-signed certificate so Facebook integrations are working properly locally.

[sheerun]

Or maybe a function .addExtraCaCert() plus .freezeCaCerts() for security, just throwing ideas.

[bnoordhuis]

You should chime in on #20434 but keep in mind that NODE_EXTRA_CA_CERTS is to let system administrators add extra certificates without touching code. It's explicitly not Yet Another API for adding certificates programmatically.

[bnoordhuis]

Or maybe a function .addExtraCaCert() plus .freezeCaCerts() for security, just throwing ideas.

That might be acceptable. Can you file a new issue?