bvm install command not correctly handling proxy certificate

[mitchdotdeveloper]

Creating a new issue from recent comments on issue #18 @GiladShoham

versions

bvm -v 0.0.30
node -v 16.13.0
npm -v 8.1.2

bvm config

{
  BVM_DIR: '...,
  DEFAULT_LINK: 'bit',
  'proxy.cert': 'Zscaler Root CA.pem',
  proxy: 'http://gateway.zscalerthree.net:8080'
}

error

% bvm install
request to https://storage.googleapis.com/storage/v1/b/bvm.bit.dev/o?prefix=versions/dev/Darwin/ failed, reason: unable to get local issuer certificate
FetchError: request to https://storage.googleapis.com/storage/v1/b/bvm.bit.dev/o?prefix=versions/dev/Darwin/ failed, reason: unable to get local issuer certificate
    at ClientRequest.<anonymous> (/Users/.../.nvm/versions/node/v16.13.0/lib/node_modules/@teambit/bvm/node_modules/node-fetch/lib/index.js:1461:11)
    at ClientRequest.emit (node:events:390:28)
    at TLSSocket.socketErrorListener (node:_http_client:447:9)
    at TLSSocket.emit (node:events:390:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

additional information

• The pem file I'm passing to proxy.cert is a valid root certificate
• When browsing, the proxy correctly acknowledges the root cert and picks up 2 intermediate certificates
• If I paste in the URL above https://storage.googleapis.com/storage/v1/b/bvm.bit.dev/o?prefix=versions/dev/Darwin/ in my browser - I get a 200 ok and data back

It seems that the bvm install command is not getting the necessary intermediate certificates necessary from the proxy. But having said that I don't know enough about proxies in practice to know if that is accurate

[GiladShoham]

@mitchdotdeveloper The certificate value you enter is incorrect.
It should contain the certificate itself, not the file path.
See the docs for npm config here - https://docs.npmjs.com/cli/v7/using-npm/config#cert
it's the same with bvm.

[mitchdotdeveloper]

@GiladShoham I followed the npm config docs and set the proxy.cert field on the bvm config and I still received the same error as above. I also tried with proxy.ca. bvm config set proxy.cert "..." & bvm config set proxy.ca "...". I do find it odd that when I successfully set the values, when I run bvm config it shows 'proxy.ca': true instead of the string value I set with the cert.

{
  BVM_DIR: '/.bvm',
  DEFAULT_LINK: 'bit',
  'proxy.ca': true,
  proxy: '...'
}

Also I notice there is another issue #23 - I'm also on a Mac and running bvm list -r fails with the same error above.

[GiladShoham]

Can you paste here how did you set the values in the bvm config?
It shouldn't have the value true but the real string.

[mitchdotdeveloper]

bvm config set proxy.ca "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----" @GiladShoham

[GiladShoham]

Really weird
Can you try go to the ~/.bvm folder into the config.json file (might be inside a config folder) and set it manually there?

[mitchdotdeveloper]

Yes I was able to manually add it to the configuration file and it showed as expected with the bvm config command for both proxy.ca and proxy.cert, but I am still receiving the same error on bvm install. @GiladShoham

[iamshrivishnu]

@mitchdotdeveloper Any specific reason for using ZScaler proxy ? By the way, without the proxy the installation fails due to incorrect certificate of bvm.bit.com. Do check the issue teambit/bit#5213

[mitchdotdeveloper]

@iamshrivishnu I have to use it for my company. I read your linked issue - I'm not sure what you are suggesting as a fix?

[zmanring]

Anyone figure out a work around for this? I am stuck, I was able to get around the certs for NPM and Yarn but not BVM.

[iamshrivishnu]

@mitchdotdeveloper I feel you need to get *.bit.dev whitelisted from the ZScaler proxy as BVM uses a handful of resources and with the approach the team is using you will not be able to complete the setup. Currently the system follows these steps:

1. It connects to Google Storage to get the latest version
2. Based on the version received from Google Storage, it is downloaded from bvm.bit.com which uses the certificate issued to a CDN and bvm.bit.dev is added as alias
3. Once download is complete, you will be able to initialize bit
4. In steps that you will setup the components, there are many more subdomains of bit.dev comes up like node.bit.dev

Since the application will use the same certificate that you generated for both Step 1 and Step 2, the installation will fail. Getting the wildcard whitelisted will not only get the issue resolved for now but also will help in the steps involved to setup bit.

[gboujaoude]

I super appreciate the explanation @iamshrivishnu, but I don't think it will be easy to get a url whitelisted to a company's proxy certificate. By chance is there a way install bit without needing bvm or whitelisting the url?

[mitchdotdeveloper]

I'll most likely be closing this issue soon as the way around it was whitelisting the URL's used by Bit in ZScaler.

[gboujaoude]

Oh bummer about not having another workaround. By chance have you already tried downloading bit.dev from their releases page? I'm in the middle of trying it out, and not sure if you've already had any experience doing so/know if it works.

[gboujaoude]

I started to get a workaround, but it ended up crashing for me. I'm posting in case it works for you @mitchdotdeveloper : I ended up pulling their linux tarball from their releases page. Did a chmod +x <linux tarball> and tried running it from there. I think it would have worked, but unfortunately when running a bit start I ended up getting a Module not found error.

[iamshrivishnu]

@gboujaoude As per the current code we can use 2 ways to install bvm

1. With the use of bvm install 0.0.200 for installing a version of bit using storage bucket.
2. With the use of bvm install -f "/tmp/bit-0.0.740.tar.gz" for installing a version of bit using a local tar file

Hope this works.

[gboujaoude]

Hi @iamshrivishnu thank you for the examples. I'm running the bvm install -f <tar> to bypass the proxy errors. However I think bvm is still attempting to reach the internet when installing a local tar file, which would effectively eliminate the reason why I would try using the -f option as a workaround to the proxy.

I tried testing if bvm install -f connected to the internet this by:

1. downloaed this windows tarball https://bvm.bit.dev/versions/dev/Windows_NT/0.0.481/bit-0.0.481.tar.gz
2. disconnected from the internet
3. ran bvm install -f ...
4. Produced the following error:

FetchError: request to https://storage.googleapis.com/storage/v1/b/bvm.bit.dev/o?prefix=versions/dev/Windows_NT/ failed, reason: getaddrinfo ENOTFOUND [storage.googleapis.com](http://storage.googleapis.com/)

Any thoughts?

[iamshrivishnu]

Agreed with your reasoning.
@GiladShoham any comments ?

[GiladShoham]

This seems like a bug.
Me or @zkochan will check it out and update here.

[maka-io]

It's a bummer that neither the cert (we use zscaler as well) option or the manual options work here. I have failures left and right 😞

With the manual install option:
bvm install 0.0.888 -f /bit-0.0.888.tar.gz

I get:

✔ copy from /bit-0.0.888.tar.gz to /root/.bvm/temp/bit-0.0.888.tar.gz in 5 milliseconds
✔ extracting version 0.0.888 in 3.515 seconds
- removing /root/.bvm/temp/bit-0.0.888.tar.gz
✔ removing /root/.bvm/temp/bit-0.0.888.tar.gz in 1 millisecond
- moving from temp folder to final location
✔ moving from temp folder to final location in 1 millisecond

Error: /root/.bvm/versions/0.0.888/bit-0.0.888/node_modules/@teambit/bit/package.json: ENOENT: no such file or directory, open '/root/.bvm/versions/0.0.888/bit-0.0.888/node_modules/@teambit/bit/package.json'

[mitchdotdeveloper]

In pursuit of other cert related issues I came across the NODE_EXTRA_CA_CERTS option in node. By setting this option in my shell file export NODE_EXTRA_CA_CERTS="$HOME/path/to/ZScaler.pem" I was able to resolve all of my unable to get local issuer certificate problems. Obviously YMMV, but I haven't had that issue come up with bit or any other programs I've been using.