Zowe CLI: Providing NODE_EXTRA_CA_CERTS
When using Zowe CLI to connect to z/OSMF, you may get an error unable to verify the first certificate
(different from “self-signed certificate in certificate chain”):
In my case, this seemed strange, because whenever I access z/OSMF through my Chrome browser directly, I do NOT get any warning like the following:
Instead, I get a normal logon:
Workarounds
One potential work around: zowe CLI surfaces the rejectUnauthorized
option via the --reject-unauthorized=[true|false]
command line argument when creating / updating a profile which could “resolve” this error (strictly meaning that it makes the error go away — in the same way that disabling compiler warnings makes type mismatch messages go away 😃). rejectUnauthorized
implications should be understood before use.
Mozilla Certificate Authorities (CAs)
Zowe CLI is built on Node.js, and by default is bundled to trust “CAs curated by Mozilla”. However, through environment variables, like NODE_EXTRA_CA_CERTS
, you can extend trusted CAs.
Example
Although this may not be the most efficient route, you can follow these steps to make use of the NODE_EXTRA_CA_CERTS
environment variable without using --reject-unauthorized=false
to “fix” the error mentioned above.
Export Certificates
Click on the 🔒 symbol and click “Certificate” (using Chrome).
There are 4 certificates in this path. On the “Details” tab, click “Copy to File…”.
Export to DER format and save the file on your workstation.
Swap back to the “Certificate Path” view, pick the next certificate in line (second from the bottom), and click “View Certificate”.
For this certificate and each remainder in the path, copy to your work station.
Convert
In my experience, this needed to be in PEM
format, so you can convert the certificates on your workstation from DER
to PEM
using the openssl
command line program (with syntax like this):
openssl x509 -inform der -in certificate.der.cer -out certificate.pem
Concatenate
Lastly, concatenate the certificates:
cat cert1.pem cert2.pem cert3.pem cert4.prem > bundled.perm
In Bash, you can define environmental variables prior to invoking an application for them to take effect. In this screenshot, I’m using a zowe jobs list jobs
command without specifying --reject-unauthorized=false
: