Skip to content

Comments

fix: fix ci with cert issue#11462

Closed
dhmlau wants to merge 1 commit intomasterfrom
fixci-cert
Closed

fix: fix ci with cert issue#11462
dhmlau wants to merge 1 commit intomasterfrom
fixci-cert

Conversation

@dhmlau
Copy link
Member

@dhmlau dhmlau commented Feb 23, 2026

CI suddenly fails with:

 1) HttpCachingProxy
       proxies HTTPs requests (no tunneling):
     Error: 502 - "Error: unable to get local issuer certificate"
      at makeRequest (packages/http-caching-proxy/src/__tests__/integration/http-caching-proxy.integration.ts:261:19)
      at processTicksAndRejections (node:internal/process/task_queues:103:5)
      at Context.<anonymous> (packages/http-caching-proxy/src/__tests__/integration/http-caching-proxy.integration.ts:88:20)

Checklist

  • DCO (Developer Certificate of Origin) signed in all commits
  • npm test passes on your machine
  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style guide
  • API Documentation in code was updated
  • Documentation in /docs/site was updated
  • Affected artifact templates in packages/cli were updated
  • Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

@dhmlau
fix: fix ci with cert issue
15dd0db 
Signed-off-by: dhmlau <dhmlau@ca.ibm.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 23, 2026
View reviewed changes
packages/http-caching-proxy/src/http-caching-proxy.ts
// Disable SSL certificate validation for HTTPS requests
// This is acceptable for a testing/caching proxy
httpsAgent: new (require('node:https').Agent)({
rejectUnauthorized: false,

Check failure

Code scanning / CodeQL

Disabling certificate validation High

Disabling certificate validation is strongly discouraged.

Copilot Autofix

AI about 3 hours ago

In general, the problem is that TLS certificate validation is disabled by setting rejectUnauthorized: false in the custom https.Agent used by Axios. The fix is to avoid disabling validation: either use the default https.Agent (no custom httpsAgent configuration at all), or explicitly set rejectUnauthorized: true. If special handling of self‑signed certificates is needed, it should be done via trusted CA configuration instead, not by turning validation off.

The minimal, non‑breaking change here is to stop passing rejectUnauthorized: false when constructing the agent. Since Node’s default HTTPS agent already enforces certificate validation, the cleanest approach is to remove the custom httpsAgent entirely and let Axios use its default. That preserves all existing behavior except for making TLS secure again. Concretely, in packages/http-caching-proxy/src/http-caching-proxy.ts, within the HttpCachingProxy constructor, we should delete the httpsAgent property (lines 92–96 in the snippet) and the associated comment about disabling SSL validation. No new imports are needed, because we will no longer use require('node:https') here. Axios will automatically use Node’s standard HTTPS handling, which validates certificates.

Suggested changeset 1
packages/http-caching-proxy/src/http-caching-proxy.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/http-caching-proxy/src/http-caching-proxy.ts b/packages/http-caching-proxy/src/http-caching-proxy.ts
--- a/packages/http-caching-proxy/src/http-caching-proxy.ts
+++ b/packages/http-caching-proxy/src/http-caching-proxy.ts
@@ -89,11 +89,6 @@
       // http status code. Please note that Axios creates a new error in such
       // condition and the original low-level error is lost
       validateStatus: () => true,
-      // Disable SSL certificate validation for HTTPS requests
-      // This is acceptable for a testing/caching proxy
-      httpsAgent: new (require('node:https').Agent)({
-        rejectUnauthorized: false,
-      }),
     });
   }
 
EOF
@@ -89,11 +89,6 @@
// http status code. Please note that Axios creates a new error in such
// condition and the original low-level error is lost
validateStatus: () => true,
// Disable SSL certificate validation for HTTPS requests
// This is acceptable for a testing/caching proxy
httpsAgent: new (require('node:https').Agent)({
rejectUnauthorized: false,
}),
});
}

Copilot is powered by AI and may make mistakes. Always verify output.
@dhmlau dhmlau closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dhmlau