Open in app

Sign in

Write

Sign in

Zowe CLI: Providing NODE_EXTRA_CA_CERTS

Dan Kelosky
Zowe
Published in
3 min readApr 5, 2019

When using Zowe CLI to connect to z/OSMF, you may get an error unable to verify the first certificate (different from “self-signed certificate in certificate chain”):

In my case, this seemed strange, because whenever I access z/OSMF through my Chrome browser directly, I do NOT get any warning like the following:

Instead, I get a normal logon:

Workarounds

One potential work around: zowe CLI surfaces the rejectUnauthorized option via the --reject-unauthorized=[true|false] command line argument when creating / updating a profile which could “resolve” this error (strictly meaning that it makes the error go away — in the same way that disabling compiler warnings makes type mismatch messages go away 😃). rejectUnauthorized implications should be understood before use.

Mozilla Certificate Authorities (CAs)

Zowe CLI is built on Node.js, and by default is bundled to trust “CAs curated by Mozilla”. However, through environment variables, like NODE_EXTRA_CA_CERTS, you can extend trusted CAs.

Example

Although this may not be the most efficient route, you can follow these steps to make use of the NODE_EXTRA_CA_CERTS environment variable without using --reject-unauthorized=false to “fix” the error mentioned above.

Export Certificates

Click on the 🔒 symbol and click “Certificate” (using Chrome).

There are 4 certificates in this path. On the “Details” tab, click “Copy to File…”.

Export to DER format and save the file on your workstation.

Swap back to the “Certificate Path” view, pick the next certificate in line (second from the bottom), and click “View Certificate”.

For this certificate and each remainder in the path, copy to your work station.

Convert

In my experience, this needed to be in PEM format, so you can convert the certificates on your workstation from DER to PEM using the openssl command line program (with syntax like this):

openssl x509 -inform der -in certificate.der.cer -out certificate.pem

Concatenate

Lastly, concatenate the certificates:

cat cert1.pem cert2.pem cert3.pem cert4.prem > bundled.perm

In Bash, you can define environmental variables prior to invoking an application for them to take effect. In this screenshot, I’m using a zowe jobs list jobs command without specifying --reject-unauthorized=false:

Zowe
Mainframe
Nodejs
Tls
Zowe Cli

--

--

Dan Kelosky
Zowe

Written by Dan Kelosky

215 Followers
Writer for

Likes programming/automation in mainframe (assembler, C/C++), distributed (Node.js), and web development (Firebase, Angular).

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams