Walkthrough: Configuring Sitecore CA certificates for Node.js
In local environments, Sitecore instances are installed using privately signed certificates. However, these are rejected by Node.js since their root CAs are not known. From Node.js 7.3.0 and onwards, it is possible to add well-known extra certificates to Node.js with a NODE_EXTRA_CA_CERTS
environment variable.
If you do not have privately signed certificates configured correctly, you will see errors with the code UNABLE_TO_VERIFY_LEAF_SIGNATURE
when running your JSS application. For example:
Error: unable to verify the first certificate
...
type: 'system',
errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
Error occurred while trying to proxy request /sitecore/api/layout/render/jss?item=%2F&sc_apikey={A6AAE4C9-EEFF-4728-BDCB-80292FDB16EC}
from localhost:3000 to <https://cm.localhost> (UNABLE_TO_VERIFY_LEAF_SIGNATURE)
This walkthrough guides you through the required steps for configuring Node.js to accept privately signed SSL certificates:
-
If you are using Sitecore Containers, identify the certificate file used by your Sitecore instance.
-
Provide the certificates to the Node.js environment.
Identify the certificate file used in your Sitecore Containers instance
For Docker-based Sitecore containers, the certificate file was created by mkcert
during the project setup.
To find the certificate location, in a terminal, in the root directory of your project, run the following command:
mkcert -CAROOT
The certificate is in PEM format and is called rootCA.pem
by default. Your file path will look something like C:\Users\<username>\AppData\Local\mkcert\rootCA.pem
.
Provide the certificates to the Node.js environment
To include your certificates in the Node.js environment, you must add them to the well-known root certificates of Node.js.
Adding it to a .env
file and using the dotenv
library does not work because environment variables defined this way are loaded too late for Node.js to recognize.
To provide the certificates, you have several options, all using the NODE_EXTRA_CA_CERTS
:
-
In the local or system environment run the command:
RequestResponsesetx NODE_EXTRA_CA_CERTS <file>
To set the certificates for the entire system use the optional
/m
parameter.Restart the terminal or the code editor for the change to take effect.
-
In a PowerShell session, run the following script:
RequestResponse$env:NODE_EXTRA_CA_CERTS="<file>"
You need to repeat this step when you start a new session.
-
In the
package.json
file of your JSS application, modify the scriptstart:connected
:RequestResponse"start:connected": "cross-env-shell NODE_EXTRA_CA_CERTS=<file> ..."