AddTrust SSL CA root cert expired (as bundled with NodeJS) - updated one published

[wallyhall]

Hello,
We're experiencing a number of issues around Azure DevOps plugins (which appear to use NodeJS under the hood) and our own internal NodeJS applications when connecting to TLS services using AddTrust based certificates.

This all started happening since their "legacy" CA root certificate expired on the 30th.

Looking at NodeJS, if I've understood correctly, the AddTrust CA root cert (as bundled) is the "legacy" cert which expired on the 30th.

I would happily raise a PR myself, but SSL certificates always prove to be way over my head! It looks like the NodeJS team regularly update the certs though, I assume this is a relatively easy patch?

I'll also cross-reference this issue with Microsoft Azure DevOps agent github too...

[Zeal0us]

Same issue, unfortunately until the old one is removed from the list it seems to break. (i.e. wget didn't work in my debian based container until I excluded mozilla/AddTrust_External_Root.crt and updated CAs). Unfortunately node doesn't seem to much care what the OS thinks.

[wallyhall]

@Zeal0us yeah, it looks like a set of certs are bundled with it (separate to the OS).

[AshCripps]

opened a PR to update the certs - #33682

[sam-github]

Until the NSS update lands, https://nodejs.org/api/cli.html#cli_use_bundled_ca_use_openssl_ca can be used to force node.js to use an external cert store.

[sam-github]

And, FTR, https://github.com/nodejs/node/blob/master/doc/guides/maintaining-root-certs.md is the cert maintenance process.

[targos]

Fixed in #33682