I'm using a CLI tool to build hybrid mobile apps which has a cool upload feature so I can test the app on a device without going through the app store (it's ionic-cli). However, in my company like so many other companies TLS requests are re-signed with the company's own custom CA certificate which I have on my machine in the keychain (OS X). However, nodejs does not use the keychain to get its list of CA's to trust. I don't control the ionic-cli app so I can't simply pass in a { ca: } property to the https module. I could also see this being a problem for any node app which I do not control. Is it possible to tell nodejs to trust a CA?
I wasn't sure if this belonged in Information Security or any of the other exchanges...
Since you don’t control the app and cannot pass the ca option (the usual way to do it), you can try telling Node not to verify certificates at all, by setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED. For example:
$ export NODE_TLS_REJECT_UNAUTHORIZED=0
Then run the app.
As @keinabel says, when you do this the app will trust any (spoofed, fake, legitimate) certificate, opening you up to man-in-the-middle attacks. The correct and safe solution would be for the app developers to let you specify a trusted CA.