Walkthrough: Configuring Sitecore CA certificates for Node.js
In local environments, Sitecore instances are installed using privately signed certificates. However, these are rejected by Node.js since their root CAs are not known. From Node.js 7.3.0 and onwards, it is possible to add well-known extra certificates to Node.js with a NODE_EXTRA_CA_CERTS
environment variable.
If you do not have privately signed certificates configured correctly, you will see errors with the code UNABLE_TO_VERIFY_LEAF_SIGNATURE
when running your JSS application. For example:
Error: unable to verify the first certificate
...
type: 'system',
errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
Error occurred while trying to proxy request /sitecore/api/layout/render/jss?item=%2F&sc_apikey={A6AAE4C9-EEFF-4728-BDCB-80292FDB16EC}
from localhost:3000 to <https://cm.localhost> (UNABLE_TO_VERIFY_LEAF_SIGNATURE)
This walkthrough guides you through the required steps for configuring Node.js to accept privately signed SSL certificates:
-
If you are using Sitecore Containers, identify the certificate file used by your Sitecore instance. Alternatively, create the certificate file for a SIF Sitecore installation.
-
Provide the certificates to the Node.js environment.
Identify the certificate file used in your Sitecore Containers instance
For Docker-based Sitecore containers, the certificate file was created by mkcert
during the project setup.
To find the certificate location, in a terminal, in the root directory of your project, run the following command:
mkcert -CAROOT
The certificate is in PEM format and is called rootCA.pem
by default. Your file path will look something like C:\Users\<username>\AppData\Local\mkcert\rootCA.pem
.
Create the certificate file for use in a Sitecore on-prem instance
For Sitecore instances installed with the Sitecore Installation Framework (SIF), you must export the certificate from the Windows Certificate Store.
To export the certificate:
-
Open Windows certificates manager for the local computer using
certlm
from the command line or by searching for "Manage Computer Certificates." -
Under Trusted Root Certification > Certificates, right-click the Sitecore Installation Framework certificate, then click , then .
-
In the new window, click
. -
In the Export File Format screen, select Base-64 encoded X.509 (.CER) and click .
-
Enter a file name, for example, SIFRoot.cer and a location to store the
.cer
file. Click , then .
If you have both Sitecore Containers and on-prem instances, you can combine the certificates into a single file. For example:
-----BEGIN CERTIFICATE-----
{your mkcert certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{your SIF certificate}
-----END CERTIFICATE-----
Provide the certificates to the Node.js environment
To include your certificates in the Node.js environment, you must add them to the well-known root certificates of Node.js.
Adding it to a .env
file and using the dotenv
library does not work because environment variables defined this way are loaded too late for Node.js to recognize.
To provide the certificates, you have several options, all using the NODE_EXTRA_CA_CERTS
:
-
In the local or system environment run the command:
RequestResponsesetx NODE_EXTRA_CA_CERTS <file>
To set the certificates for the entire system use the optional
/m
parameter.Restart the terminal or the code editor for the change to take effect.
-
In a PowerShell session, run the following script:
RequestResponse$env:NODE_EXTRA_CA_CERTS="<file>"
You need to repeat this step when you start a new session.
-
In the
package.json
file of your JSS application, modify the scriptstart:connected
:RequestResponse"start:connected": "cross-env-shell NODE_EXTRA_CA_CERTS=<file> ..."