Build support for 'additional' CA certs

[scotty6435]

NPM has a really handy CLI option - NODE_EXTRA_CA_CERTS but no matching option in .npmrc. We need to add additional certificates to the chain so we can secure our internal registry lookups but this isn't possible without one of the following:

1. Using the above environment variable
2. Localising the provided NPM root certs (HUGE) and add the three I need at the bottom
3. Do one of the above but with a script

We have numerous projects and all kinds of manual and automated workflows where individually adding this configuration is really not viable. If the CLI tool can append additional CA certificates temporarily to the runtime, why can't that be done in a way that can be stored just as part of the project?

[wesleytodd]

If I understand you correctly, maybe using the mTLS options would work for you? https://docs.npmjs.com/cli/v10/configuring-npm/npmrc#auth-related-configuration

[scotty6435]

These certs aren't used for authentication but SSL signing of web traffic through an NTLM proxy that requires a trusted root certificate (and intermediaries) in order to work. The problem is that you either have to inject an environment variable which requires tweaking all automated or manual runtime commands or manage the full NPM CA cert which we really don't want to have to take on.

Our registry actually used AWS certs so ironically, we literally need the un-scoped CA cert to be updated instead.

[wesleytodd]

Is NTLM a windows thing? That is what google is telling me, just making sure I understand the issue. I have no opposition to your request, but am guessing if you really need this you will need to find a workaround on the short to medium term.

[scotty6435]

Sorry, yes locally it's a windows system-level proxy but even in our build agents which are Linux based we have the same issue. Our proxies handle traffic with a rewritten cert so they can inspect HTTPS traffic so we need a single new CA added but this isn't doable unless you use the environment variable or have a setup where you can associate a CA cert with a specific registry.

The workaround for now is to continue to ignore SSL verification but it's really far from ideal. We can't be alone - there are many corporate proxies out there and many large companies insist on internally-hosted repository proxies which handle security scanning, usage attribution and alerting when there's a violation.

[wesleytodd]

We have all of these needs but use mTLS and it works well, not sure if I understand your setup well enough to know why you need new npm settings.

[scotty6435]

Simply put, we need to be able to add CA certs rather than only have the option of replacing the whole stack. Like Java and OpenSSL trust stores, adding an additional CA cert does not mean removing the defaults provided by the platform/OS but for some reason it does in AEM.

I don't know if namespacing to a registry would cover independent requests e.g. a tar hosted on github and simply put I don't want to have to administer N instance configurations per-project. For our container builds we can use an ENV variable to do just that but for local
it's frustrating having to reply on those ENV variables or writing a build script to integrate that.