SSL/TLS issues behind corporate proxy

[joelpramos]

Problem

In enterprise environments with SSL/TLS inspection proxies (e.g., Netskope, Zscaler), Supabase CLI worker containers fail when making HTTPS requests to external services because they don't trust the corporate CA certificate. It appears from the below this is happening as part of the Deno command (fetch) that is executed from within a container but presumably it will happen more broadly in any other commands from containers (i.e. will be an issue on edge functions too when they are fetching dependencies from Deno / reaching out to external web)

Root cause

• Enterprise MITM proxies intercept HTTPS and re-sign with a corporate CA.
• Supabase CLI worker containers use Deno, which validates TLS certificates.
• Deno's default CA bundle doesn't include the corporate CA.
• There's no way to inject custom CA certificates into these containers.

Proposed solutions

• Certificate mounting: add a flag like --ca-cert-file to mount a custom CA certificate into worker containers

Here's a sample from some other Dockerfile I have kicking around (added the DENO_CERT - https://docs.deno.com/runtime/reference/env_variables/#special-environment-variables):

# Copy and install SSL certificate to system store
COPY certs/root-ca.cer /usr/local/share/ca-certificates/root-ca.crt
RUN apt-get update \
    && apt-get install -y ca-certificates \
    && update-ca-certificates \
    && apt-get clean -y && rm -rf /var/lib/apt/lists/*

# Set certificate environment variables pointing to the system bundle
# The system bundle at /etc/ssl/certs/ca-certificates.crt includes both
# system certificates and our custom certadmin.crt
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/root-ca.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
ENV DENO_CERT=/etc/ssl/certs/ca-certificates.crt

Note that you will need to get opinionated on the format of the CA - I think usually .cer or .crt but haven't really done much research.

Reference from Netskope (which is the proxy I am currently behind): https://community.netskope.com/next-gen-swg-2/configuring-cli-based-tools-and-development-frameworks-to-work-with-netskope-ssl-interception-7015

[joelpramos]

So this is actually an edge-runtime problem. Guess the cli just pulls on edge-runtime to execute Deno scripts. Worked around it by:

1. pulling down edge-runtime
2. building a custom image for edge-runtime as per below
3. re-tagging in my local...

bit quick and dirty but works for now

# Custom edge-runtime with enterprise CA certificate
FROM public.ecr.aws/supabase/edge-runtime:v1.70.0

# Copy our CA bundle
COPY ca-bundle.pem /etc/ssl/certs/ca-certificates.crt

# Set env vars for Deno to use system certs
ENV DENO_TLS_CA_STORE=system
ENV DENO_CERT=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

[aantti]

@kallebysantos