#TLS Certificate, FIXED BACKEND, Now Frontend

alright I'm almost there

I got it working in Postman

TLS Certificate, FIXED BACKEND, Now Frontend

it's working with SSL cert enabled

but my frontend is complaining now

it must work without

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Is your frontend running in a browser, or are you fetching from a server?

If your cert is self signed, your client is running on a server, and the server is node or node-compatible, you can try setting NODE_EXTRA_CA_CERTS to your CA file

my browser can see it

it just my vite project

I'll defer on the specifics that might apply if your client runs with bun, but something to this effect works for me with a client that runs in wrangler/cloudflare workers

I was working on backend first

I tested it Postman

Postman works with rootCA certificate with no error and this setting is enabled

but moving on to front

The reason I asked about the browser is if you need fetch to work from a browser on a machine you don't control then you're going to have to abandon self-signed certs

I specified the same key, cert, and ca files in the fs like

const keyPath = path.resolve(__dirname, './backend/key.pem');
const certPath = path.resolve(__dirname, './backend/cert.pem');
const caPath = path.resolve('./backend/rootCA.pem');

wait, I need to fetch tls file from the backend?

     tls: {
            cert: Bun.file('./cert.pem'),
            key: Bun.file("./key.pem"),
            ca: Bun.file("./rootCA.pem"),

        },

I'm using mkcert, how did it work on Postman then

First question is: do you need to hit your https server from a front end that you don't control (e.g. from a user's browser)?

I have 2 separate projects

1. frontend (fetches all the http reqs from backend)
2. backend (bun)

does your frontend code run in the browser, or do you use something like SSR and just send prerendered HTML to a browser?

it's SSR, I'm running it locally

SvelteKit

Are you going to deploy it somewhere, or will it always run locally?

eventually, yes, once I deploy it, I won't need this kind of setup because https is given by default

at the moment, I'm working on it locally

ok, in theory all you should need is to get your OS/browser/frontend to trust your CA then

it does

my browser trusts

but not my frontend project lol

strange

I wouldn't see this otherwise

so you just need your rootCA in the frontend, and you use whatever mechanism your platform exposes for CAs

current error

my front is running on vite

import { sveltekit } from '@sveltejs/kit/vite';
import { createLogger, defineConfig } from 'vite';
import mkcert from'vite-plugin-mkcert'
import * as path from "path";

const keyPath = path.resolve(__dirname, './key.pem');
const certPath = path.resolve(__dirname, './cert.pem');
const caPath = path.resolve('./rootCA.pem');

const mkcertOptions = {
    autoUpgrade: true,
    keyFileName: keyPath,
    certFileName: certPath,
    logger: createLogger(
        'info',
        {
            prefix: 'mkcert',
        }
    ),
    mkcertPath: caPath,
};
export default defineConfig({
    plugins: [
        sveltekit(),
        mkcert(mkcertOptions),
    ],
    server: {
        https: true,
    },
});

i know that I had this bug before when testing in Postman, as I mentioned I had to upload rootCA to make it work

but doing the same thing in front doesn't do the job

Try setting NODE_EXTRA_CA_CERTS to the path to your rootCA

I went through this on google, I couldn't set this up

NODE_EXTRA_CA_CERTS

how do you run the frontend?

pnpm run dev

what's the dev script in packages.json?

try NODE_EXTRA_CA_CERTS=./rootCA.pem vite dev

(or an absolute path)

just right here?

yup

        "dev": "NODE_EXTRA_CA_CERTS=/Users/insidious/Library/Application\\ Support/mkcert/rootCA.pem vite dev",

I did this

worked

woah

👍

THANK YOU SO MUCH, WOAAHHH lol

np

To review, for reference:

• You have your OS/browser trusting your CA: this, along with your mkcert-related stuff in your front end should let you connect from your browser to your frontend
• You have NODE_EXTRA_CA_CERTS set, which tells node to trust your CA: this, along with your back end tls settings in bun should let you connect from your frontend to your backend

And whatever you did in postman is the equivalent for the client side of these connections

in theory, you can generate two certs, one for your front end and one for your back end and update the relevant settings

interesting ^

I must generate separate key.pem and cert.pem on both frontend and backend

but use the same rootCA for now?

It's not necessary, and the benefits are slim if you're just using it locally. But yes, you would generate a separate key/cert and share the CA.