Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nodejs: use system ca certificate store #257513

Merged
merged 1 commit into from
Sep 28, 2023
Merged

nodejs: use system ca certificate store #257513

merged 1 commit into from
Sep 28, 2023

Conversation

999eagle
Copy link
Contributor

Description of changes

NodeJS has a hardcoded list of trusted certificate authorities built-in which it uses instead of the system CA certificates. (see nodejs/node#4175). Additional CA certificates can be added using the NODE_EXTRA_CA_CERTS environment variable, but there's no way to 1) allow for certificate revocations and 2) add trusted CAs (for example a self-signed CA for custom infrastructure) to all nodejs processes systemwide.

To ignore the built-in list of CAs and always use only the system default CAs, nodejs has to be compiled with the --openssl-use-def-ca-store flag which this PR adds. One example of other distros using this is Debian.

I've tested this change by running this snippet in the nodejs repl: const https=require('node:https'); https.get('https://local.url.example.com') where the url in question is served with a self-signed certificate added in security.pki.certificateFiles. This throws the error message Uncaught Error: self-signed certificate in certificate chain when run with the current nodejs package but works with this configuration set.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@delroth delroth added the 12.approvals: 2 This PR was reviewed and approved by two reputable people label Sep 27, 2023
@hexchen hexchen added 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people and removed 12.approvals: 2 This PR was reviewed and approved by two reputable people labels Sep 27, 2023
@SuperSandro2000
Copy link
Member

This could theoretically go straight to master

@999eagle
Copy link
Contributor Author

The contributing guidelines currently give 500+ rebuilds as the rule of thumb threshold for mass rebuilds that should go to staging, so I based this PR on staging. I could rebase onto master if that's okay despite being a mass rebuild?

@SuperSandro2000
Copy link
Member

It's only a mass rebuild if labels are red but it really does not matter and someone should just hit merge.

@marsam marsam merged commit b59ab70 into NixOS:staging Sep 28, 2023
@999eagle 999eagle deleted the feat/nodejs-system-ca branch September 28, 2023 09:54
@zhaofengli zhaofengli mentioned this pull request Nov 18, 2023
Merged
This was referenced Nov 20, 2023
Closed
Merged
This was referenced Nov 21, 2023
Merged
Merged
@penalty1083 penalty1083 mentioned this pull request Nov 28, 2023
Merged
13 tasks
@jonasnick jonasnick mentioned this pull request Dec 10, 2023
Merged
2 tasks
phaer added a commit to phaer/nixpkgs that referenced this pull request Dec 15, 2023
@phaer
playwright-driver: fix browser download on darwin
bb74ebb 
We are currently using an impure method to build a derivation for
playwrights browsers on darwin: We just call `playwright install`
during build-time. But this recently began to fail, with an error that
the azure certificate would be self-signed, while it was not. This is
presumably due to NixOS#257513
where we started to use the systems CA store for nodejs instead of
the bundled one, so we add cacert to fix it.

Maybe the whole impure method of downloading browsers on darwin
should be reconsidered in favor of following the same approach as
on Linux, but that would probably have the drawback that we'd loose
safari as one of the browsers.
@phaer phaer mentioned this pull request Dec 15, 2023
Merged
13 tasks
github-actions bot pushed a commit that referenced this pull request Dec 18, 2023
@phaer @github-actions
playwright-driver: fix browser download on darwin
4708f04 
We are currently using an impure method to build a derivation for
playwrights browsers on darwin: We just call `playwright install`
during build-time. But this recently began to fail, with an error that
the azure certificate would be self-signed, while it was not. This is
presumably due to #257513
where we started to use the systems CA store for nodejs instead of
the bundled one, so we add cacert to fix it.

Maybe the whole impure method of downloading browsers on darwin
should be reconsidered in favor of following the same approach as
on Linux, but that would probably have the drawback that we'd loose
safari as one of the browsers.

(cherry picked from commit bb74ebb)
Lainera pushed a commit to Lainera/nixpkgs that referenced this pull request Dec 20, 2023
@phaer @Lainera
playwright-driver: fix browser download on darwin
d234482 
We are currently using an impure method to build a derivation for
playwrights browsers on darwin: We just call `playwright install`
during build-time. But this recently began to fail, with an error that
the azure certificate would be self-signed, while it was not. This is
presumably due to NixOS#257513
where we started to use the systems CA store for nodejs instead of
the bundled one, so we add cacert to fix it.

Maybe the whole impure method of downloading browsers on darwin
should be reconsidered in favor of following the same approach as
on Linux, but that would probably have the drawback that we'd loose
safari as one of the browsers.
@RaghavSood RaghavSood mentioned this pull request May 12, 2024
Draft
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hexchen hexchen hexchen approved these changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@vifino vifino vifino approved these changes

@JulienMalka JulienMalka JulienMalka approved these changes

@marsam marsam marsam approved these changes

@gilligan gilligan Awaiting requested review from gilligan

@cillianderoiste cillianderoiste Awaiting requested review from cillianderoiste

@cko cko Awaiting requested review from cko

Assignees
No one assigned
Labels
6.topic: nodejs 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501-1000 10.rebuild-linux: 501+ 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@999eagle @SuperSandro2000 @marsam @JulienMalka @vifino @hexchen @delroth