Last active
January 30, 2024 16:30
-
-
Save jij/b1032248b8ec5d7934d5952e61402e11 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
credit: https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows/52961564 | |
>pip config set global.cert path/to/ca-bundle.crt | |
>pip config list # user trusted-host | |
pip.ini or pip.conf | |
[global] | |
trusted-host = pypi.python.org | |
pypi.org | |
files.pythonhosted.org | |
cert = /etc/ssl/certs/ca-bundle.crt | |
(if config is not set, use pip --cert or --trust-host each call) | |
>conda config --set ssl_verify path/to/ca-bundle.crt (or false to disable) | |
>conda config --show ssl_verify | |
>git config --global http.sslVerify true | |
>git config --global http.sslCAInfo path/to/ca-bundle.crt | |
NPM - two options | |
1. using evironment var | |
>set npm_config_cafile=/etc/ssl/cert.pem | |
2. using config | |
>npm config set strict-ssl true -g | |
>npm config set cafile path/to/ca-bundle.crt -g | |
//if npm invoke script to call node directly, npm config is not respected, two workground | |
1. disable node TLS check through env var | |
>set NODE_TLS_REJECT_UNAUTHORIZED=0 | |
2. add custom cert through en var | |
>set NODE_EXTRA_CA_CERTS=/etc/ssl/cert.pem | |
>yarn config set strict-ssl true -g | |
>yarn config set cafile path/to/ca-bundle.crt -g | |
Docker - yarn (same concept for others tool) | |
#copy custom cert, in current build directory | |
COPY zscaler-root-ca.crt /usr/local/share/ca-certificates/zscaler-root-ca.crt | |
# some base image don't have update-ca-certificates | |
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* | |
# update-ca-certificates - add the cert to /etc/ssl/certs/ca-certificates.crt bundle | |
RUN update-ca-certificates | |
credit: | |
#http://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html | |
#https://hackernoon.com/alpine-docker-image-with-secured-communication-ssl-tls-go-restful-api-128eb6b54f1f | |
credit: | |
https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux | |
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. | |
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 | |
"/etc/ssl/ca-bundle.pem", // OpenSUSE | |
"/etc/pki/tls/cacert.pem", // OpenELEC | |
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 | |
"/etc/ssl/cert.pem", // Alpine Linux | |
_Linux setup_ | |
On Fedora/RHEL/CentOS/Debian/Ubuntu I would add it to the OS trust store, and configure yarn to use the OS trust store. This will also make the registry trusted by your browser, and tools like curl/wget, openssl. | |
Fedora/RHEL/CentOS | |
Add the CA or self signed certificate to /etc/pki/ca-trust/source/anchors/. | |
Run sudo update-ca-trust extract. If you use nodejs provided by Red Hat, that's it! | |
If you have compiled nodejs yourself, or have downloaded nodejs from https://nodejs.org/, you need to configure yarn to use the OS trust store instead of the included static nodejs trust store: | |
yarn config set cafile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | |
Debian/Ubuntu | |
This is similar to the instructions for Red Hat Enterprise Linux: | |
Add your .crt file to /usr/local/share/ca-certificates | |
sudo update-ca-certificates | |
yarn config set cafile /etc/ssl/certs/ca-certificates.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment