Custom Certificate Authority

Adding custom Certificate Authority

If it's necessary to call a service which is using self-signed certificate or custom CA (Certificate Authority), then it's possible to configure it via Node.js parameter NODE_EXTRA_CA_CERTS.

note

It's necessary to use Certificate Authority certificate which was used to issue SSL certificate and not server certificate itself.

note

If it's necessary to use multiple CA certificates, then they must be combined into one file. It can be done via text editor.

In practice the easiest way is to extend ACE runtime image, copy CA certificate to Docker image, and set NODE_EXTRA_CA_CERTS value to copied file.

CA setup example

COPY CustomCA.pem /var/CustomCA.pem
ENV NODE_EXTRA_CA_CERTS=/var/CustomCA.pem

Other options are creating a volume and copying file during deployment or creating a startup script which downloads certificate from a known location.

Disabling certificate validation

danger

Never use NODE_TLS_REJECT_UNAUTHORIZED in production as it completely disables SSL certificate validation, and it's a high security risk!

It is possible to disable certificate validation completely for testing purposes by setting NODE_TLS_REJECT_UNAUTHORIZED=0, see NODE_TLS_REJECT_UNAUTHORIZED.

Designer Desktop

Designer Desktop is based on Electron.js, and it reads operating system environment variables, so it's possible to set variables globally and use NODE_TLS_REJECT_UNAUTHORIZED option.

caution

Setting NODE_TLS_REJECT_UNAUTHORIZED in environment variables affects whole system. Safest way to do that is to create a script which sets environment variable and launches ACE Designer from command line.

Windows cmd example

set NODE_TLS_REJECT_UNAUTHORIZED=0
"%LOCALAPPDATA%\Programs\@sapiens-digitalace-designer-electron\ACE Designer.exe"

Unfortunately NODE_EXTRA_CA_CERTS option doesn't work due to bug in Electron.js