TL;DR: lhci/cli won't complete the wizard due to self-signed cert in the lhci server
Steps:
@lhci/[email protected]lhci wizard
? Which wizard do you want to run? new-project
? What is the URL of your LHCI server? https://lhci.mycompany.com/
? What would you like to name the project? w01
? Where is the project's code hosted? https://github.com/mycompany/myrepo
? What branch is considered the repo's trunk or main branch? master
FetchError: request to https://lhci.mycompany.com/v1/projects failed, reason: self signed certificate in certificate chain
at ClientRequest.<anonymous> (/usr/lib/node_modules/@lhci/cli/node_modules/node-fetch/index.js:133:11)
at ClientRequest.emit (events.js:315:20)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:315:20)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
I tried different options I found online. Change the setting, run wizard, next... but all returned the same error:
cp ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates)npm config set ca ca.crt, npm config set ca ca.crt -gnpm config set ca ''npm config set strict-ssl=falseDocker image used: docker.io/patrickhulce/lhci-server:0.4.2
Node version installed on linux client: v12.18.2
note: using node 12.x to match the lhci-server:0.4.2 image.
Is there a way to make lhci/cli trust my self-signed certificates?
Thanks!
Have you already tried node's export NODE_TLS_REJECT_UNAUTHORIZED='0' environment variable?
I would've also expected npm config set strict-ssl=false to work if you're running the wizard through an npm script rather than lhci directly.
That one worked :)
export NODE_TLS_REJECT_UNAUTHORIZED='0'
lhci wizard
...
? What branch is considered the repo's trunk or main branch? master
(node:1124) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
Created project test01 (3e4ea8e6-7ca1-4aea-8033-e101f7a48ca1)!
Is there a way to make lhci cli trust the ca cert?
As I mentioned in the opening post, the Linux machine already trusts the self signed CA (quick test: curl https://lhci.mycompany.com without -k).
I guess lhci (or npm?) are not using the same ca store as the OS.
I guess lhci (or npm?) are not using the same ca store as the OS.
There's nothing special about Lighthouse CI not trusting the certificate, it's node in general that uses a hardcoded list of approved CAs.
Have you already tried using the NODE_EXTRA_CA_CERTS environment variable?
Either way glad you got it working! We're not going to be adding anything in LHCI to workaround this for the wizard case, so I'm going to go ahead and close this issue.
Most helpful comment
Have you already tried node's
export NODE_TLS_REJECT_UNAUTHORIZED='0'environment variable?I would've also expected
npm config set strict-ssl=falseto work if you're running the wizard through annpmscript rather than lhci directly.