cli option to configure add cerificate authority for SSR fetch requests

[burner-account]

Command

serve

Description

Hi there!

If your SSR HttpClient (withFetch()) currently requests data server side from an API that uses TLS signed by a custom CA you may receive a UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

While the compiled SSR application runs fine with node dist/yada/server/server.mjs, using ng serve to start the application will produce the mentioned error. node probably works fine because it uses the system CAs(?). But ng serve seems to have its own idea about root CAs.

Describe the solution you'd like

If i am not ignorant to "the obvious and usual way to solve this", could this please be considered as something to be solved via CLI options?
Or ng serve maybe could be taught to obey NODE_EXTRA_CA_CERTS?

Thank you!

Describe alternatives you've considered

• I tried to convince ng serve with the NODE_EXTRA_CA_CERTS environment variable - no success.
• Writing to https.globalAgent.options.ca did not solve the problem.

[dgp1130]

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

[burner-account]

I would expect ng serve to follow Node's behavior with respect to root certificates. Does this work if you start your own Node process and make a manual fetch to this backend API? Are you providing this certificate via NODE_EXTRA_CA_CERTS?

If i run the compiled SSR app manually via node dist/projectname/server/server.mjs everything is perfectly fine. I have installed the custom CA certificate chain as a system-wide root certificate. I do not provide NODE_EXTRA_CA_CERTS. NodeJS seems to pick up system certs.

I don't think Angular would want to diverge from system behavior here, so I'm inclined to avoid adding a new option and just match system behavior, but I'm not sure what we could be doing here which would be breaking it.

Matching system behaviour, meaning getting ng serve to pick up system certs, would be really cool!

[burner-account]

There is test code in /tests/legacy-cli/e2e/tests/vite/ssr-with-ssl.ts#L50 which seems to use

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

to mitigate the described problem.

Setting process.env.NODE_TLS_REJECT_UNAUTHORIZED on top of server.ts seems not to work, but setting the env variable like
NODE_TLS_REJECT_UNAUTHORIZED='0' ng serve ... does work.

[alan-agius4]

I'm having trouble fully understanding the problem description. When running ng serve, are you using your own generated certificates, or the self-signed certificates that are automatically generated?

ng serve launches a Node process, so as long as the NODE_EXTRA_CA_CERTS environment variable is properly configured, it should be recognized.

If the problem persists I suggest to provide a minimal reproduction that we can take a look at.