How to configure axios to use SSL certificate?

by

Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.

Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.

The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.

// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE
const httpsAgent = new https.Agent({ rejectUnauthorized: false });

This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what’s worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server’s identity, their poor client has no way of knowing if the connection they just made to the company’s intranet has bad actors listening on the line.

If the service has a public SSL cert, the https.Agent usually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.com with little fuss.

If the service has a private SSL cert (self signed for testing purposes or one signed by your company’s private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:

const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE });

where MY_CA_BUNDLE is an array of CA certs with both the server cert for the endpoint you want to hit and that cert’s complete cert chain in .pem format. You must include all certs in the chain up to the trust root.

Where are these options documented?

HTTPS is the HTTP protocol over TLS/SSL. In Node.js this is implemented as a separate module.

Therefore options passed to the https.Agent are a merge of the options passed to tls.connect() and tls.createSecureContext().

More Related Contents:

  1. Assigning a domain name to localhost for development environment
  2. Ignore invalid self-signed ssl certificate in node.js with https.request?
  3. Error: unable to verify the first certificate in nodejs
  4. create a trusted self-signed SSL cert for localhost (for use with Express/Node)
  5. receiving error: ‘Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN’ while using npm
  6. How do I setup a SSL certificate for an express.js server?
  7. How to force SSL / https in Express.js
  8. npm install error – unable to get local issuer certificate
  9. How to create .pem files for https web server
  10. Is it Possible to Dynamically Return an SSL Certificate in NodeJS?
  11. Connecting Heroku App to Atlas MongoDB Cloud service
  12. NodeJS, Axios – post file from local server to another server
  13. How do I use a self signed certificate for a HTTPS Node.js server?
  14. “Cannot use import statement outside a module” with Axios
  15. Axios (in React-native) not calling server in localhost
  16. Client certificate validation on server side, DEPTH_ZERO_SELF_SIGNED_CERT error
  17. Access to XMLHttpRequest at ‘…’ from origin ‘localhost:3000’ has been blocked by CORS policy
  18. React Proxy error: Could not proxy request /api/ from localhost:3000 to http://localhost:8000 (ECONNREFUSED)
  19. How do I use the node.js request module to make an SSL call with my own certificate?
  20. How would I create a for-loop in Node.js
  21. What is the –save option for npm install?
  22. Cannot overwrite model once compiled Mongoose
  23. How do I restore a missing IIS Express SSL Certificate?
  24. req.locals vs. res.locals vs. res.data vs. req.data vs. app.locals in Express middleware
  25. Node.js – Find home directory in platform agnostic way
  26. Restart node upon changing a file
  27. Node.js Event loop
  28. Deploy Nodejs on Heroku fails serving static files located in subfolders
  29. convert streamed buffers to utf8-string
  30. Getting 404 when attempting to publish new package to NPM

Leave a Comment