[BUG] Not Respecting NODE_TLS_REJECT_UNAUTHORIZED = 0

[om-mani-padme-hum]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

It fails due to a self-signed certificate error, despite being told not to reject unauthorized certificates (my company can't get me the .pem file):

This prevents node-gyp and several other repos from being installed over npm for people such as me.

The workaround we've implemented is to edit your module and pass the option to not reject unauthorized:

Expected Behavior

To install the modules properly over npm, e.g.

Steps To Reproduce

1. In this environment...

Have a self-signed certificate in your certificate chain.

3. With this config...

export NODE_TLS_REJECT_UNAUTHORIZED=0

5. Run '...'

npm i node-gyp

or

npm i smartsheet

7. See error...

Environment

• npm: 8.8.0
• Node: 16.15.0
• OS: Windows 10 Enterprise
• platform: cygwin64

[cdavid15]

We are experiencing the same issue which arose when we bumped out node-lts from 16 to 18 this week. What had worked previously using NODE_TLS_REJECT_UNAUTHORIZED=0 yarn install no longer works now.

The only way we can by pass the self signed certificate issue is by adding options.rejectUnauthorized = false; on line 71 of index.js.

[garrettboone]

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }

[wlarch]

We have encountered the same issue when updating Node v16.13.2 → v18.14.1. The same self-signed certificates have been used and are properly working when using Node v16.13.2 in a local environment.

---

Follow-up : our solution was to overwrite the fetcher of the Apollo Gateway buildService method.

const fetcher = require('make-fetch-happen');

const gateway = new ApolloGateway({
  buildService({name, url}) {
    return new RemoteGraphQLDataSource({
      name,
      url,
      fetcher: fetcher.defaults({strictSSL: false})
    });
  }
});

make-fetch-happen@11.0.3 has minipass "^4.0.0" and minipass-fetch "^3.0.0" dependencies.

[casyalex]

Anyone fix this?

======================

After my trace this lib did respect the NODE_TLS_REJECT_UNAUTHORIZED, but was overriden by node-gyp. That is not this libs fault

I opened an PR to fix this

[wraithgar]

Has anyone tried using the npm config that disables this behavior? https://docs.npmjs.com/cli/v7/using-npm/config#strict-ssl

[om-mani-padme-hum]

Setting strict-ssl to false was not sufficient to overcome the issue for me. The only resolution was to patch the minipass-fetch file with options.rejectUnauthorized = false; This has become a standard step in our development environment setup at this point, and confirmed among several developers as being the only option that works.

[casyalex]

The root cause is node-gyp use this package in plain node.js enviroment, so .npmrc won't work. But make-fetch-happen is pretty much written only for npm-cli usecase. That cause this issue.

[wraithgar]

cc @lukekarrys in case there is something node-gyp could be doing here to interpret that environment variable and update the params it sends to this module.

[jbgomond]

Seems like the issue is not in this library (that supports NODE_TLS_REJECT_UNAUTHORIZED), but in make-fetch-happen itself (overriding the strictSSL parameter)

[seng1e]

This worked for me:

  return new Promise((resolve, reject) => {
    // build request object
    const request = new Request(url, opts)
    let options
    try {
      options = getNodeRequestOptions(request)
      options.agent.options.rejectUnauthorized = false
    } catch (er) {
      return reject(er)
    }

Thanks @garrettboone answers.

When I changed options.agent.options.rejectUnauthorized = false to options.rejectUnauthorized = false , it actually worked!

enviroment: minipass-fetch@2.1.2, patched in index.js line 61.

[pbeast]

That is what I added to my local copy. At least works for me:

if (process.env['NODE_TLS_REJECT_UNAUTHORIZED'] == '0') {
      console.warn("-----------------------[ minipass-fetch ]-----------------------------");
      console.warn("- NODE_TLS_REJECT_UNAUTHORIZED is set to 0. This is not recommended. -");
      console.warn("----------------------------------------------------------------------");

      options.agent.options.rejectUnauthorized = false;
}

const req = send(options)

[reggi]

Hey all 👋 I've added a test that shows minipass-fetch currently honors the env var, I believe the issue is specific issue lies elsewhere, it's possible that node-gyp needs to pass the strictSSL option to make-fetch-happen