Node: AddTrust SSL CA root cert expired (as bundled with NodeJS) - updated one published
Hello,
We're experiencing a number of issues around Azure DevOps plugins (which appear to use NodeJS under the hood) and our own internal NodeJS applications when connecting to TLS services using AddTrust based certificates.
This all started happening since their "legacy" CA root certificate expired on the 30th.
Looking at NodeJS, if I've understood correctly, the AddTrust CA root cert (as bundled) is the "legacy" cert which expired on the 30th.
I would happily raise a PR myself, but SSL certificates always prove to be way over my head! It looks like the NodeJS team regularly update the certs though, I assume this is a relatively easy patch?
I'll also cross-reference this issue with Microsoft Azure DevOps agent github too...
wallyhall
All 6 comments
Same issue, unfortunately until the old one is removed from the list it seems to break. (i.e. wget didn't work in my debian based container until I excluded mozilla/AddTrust_External_Root.crt and updated CAs). Unfortunately node doesn't seem to much care what the OS thinks.
Zeal0us
on 1 Jun 2020
@Zeal0us yeah, it looks like a set of certs are bundled with it (separate to the OS).
wallyhall
on 1 Jun 2020
opened a PR to update the certs - https://github.com/nodejs/node/pull/33682
AshCripps
on 1 Jun 2020
Until the NSS update lands, https://nodejs.org/api/cli.html#cli_use_bundled_ca_use_openssl_ca can be used to force node.js to use an external cert store.
sam-github
on 1 Jun 2020
And, FTR, https://github.com/nodejs/node/blob/master/doc/guides/maintaining-root-certs.md is the cert maintenance process.
sam-github
on 1 Jun 2020
targos
on 2 Jun 2020
Related issues
mikeal
路
90Comments
nicolo-ribaudo
路
147Comments
addaleax
路
146Comments
thecodingdude
路
158Comments
ctavan
路
87Comments
Most helpful comment
opened a PR to update the certs - https://github.com/nodejs/node/pull/33682