Custom CA Certificates
Configure custom SSL/TLS certificates for accessing private registries with self-signed certificates or internal certificate authorities.
If your private registries or package feeds use self-signed certificates or internal certificate authorities, you need to provide custom CA certificates to Paklo. This is common when using:
- Internal JFrog Artifactory or Nexus repositories
- Corporate proxy servers with SSL inspection
- Azure DevOps Artifacts with custom certificates
- Self-signed certificates in development environments
Custom CA certificates are not supported in the hosted service. Use the Azure DevOps extension or CLI if you need this feature.
Environment Variables
Paklo supports two environment variables for custom CA certificates:
CUSTOM_CA_PATH
Set this to the path of your custom CA certificate file:
export CUSTOM_CA_PATH=/path/to/your/certificate.crtNODE_EXTRA_CA_CERTS
Alternatively, use Node.js's standard environment variable:
export NODE_EXTRA_CA_CERTS=/path/to/your/certificate.crtCertificate Format
The certificate file must be in PEM format. This is a text-based format that looks like:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKe...
...
-----END CERTIFICATE-----If you have a certificate in another format (like .der or .pfx), you'll need to convert it to PEM first.
Usage with CLI
When using the Paklo CLI, set the environment variable before running commands:
# Set the custom CA certificate path
export CUSTOM_CA_PATH=/etc/ssl/certs/company-ca.crt
# Run Paklo CLI
paklo dependabot run \
--provider azure
--repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
--git-token $GIT_ACCESS_TOKEN \
--debugExample: JFrog Artifactory
If you're using an internal JFrog Artifactory server:
# Export your company's root CA certificate
export CUSTOM_CA_PATH=/etc/ssl/certs/company-root-ca.crt
# Configure your dependabot.yml with the Artifactory registry
# (see Private Registries documentation)
# Run Paklo
paklo dependabot run \
--provider azure
--repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
--git-token $GIT_ACCESS_TOKENExample: Corporate Proxy with SSL Inspection
If your network uses a proxy that intercepts SSL traffic:
# Export the proxy's CA certificate
export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/proxy-ca.crt
# Also set proxy environment variables if needed
export https_proxy=http://proxy.company.com:8080
export http_proxy=http://proxy.company.com:8080
paklo dependabot run --provider azure --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo ...Usage with Azure DevOps Extension
When using the Azure DevOps extension in pipelines, you can set the environment variable in your pipeline YAML:
steps:
- task: dependabot@2
inputs:
mergeStrategy: 'squash'
env:
CUSTOM_CA_PATH: /path/to/certificate.crtOr mount the certificate file and set the path:
steps:
- script: |
echo "$COMPANY_CA_CERT" > /tmp/company-ca.crt
displayName: 'Create CA certificate file'
env:
COMPANY_CA_CERT: $(CompanyCACertificate)
- task: dependabot@2
inputs:
mergeStrategy: 'squash'
env:
CUSTOM_CA_PATH: /tmp/company-ca.crtTroubleshooting
Certificate Not Working
If you're still getting TLS errors after setting the certificate:
-
Verify the certificate path - Ensure the file exists and is readable:
ls -la $CUSTOM_CA_PATH cat $CUSTOM_CA_PATH # Should show the PEM-formatted certificate -
Check certificate format - The certificate must be PEM format. Convert if needed:
# Convert DER to PEM openssl x509 -inform der -in certificate.der -out certificate.pem -
Use full certificate chain - You may need the complete certificate chain, not just the root CA:
# Combine multiple certificates into one file cat root-ca.crt intermediate-ca.crt > full-chain.crt export CUSTOM_CA_PATH=/path/to/full-chain.crt -
Enable debug logging - Run with
--debugflag to see detailed error messages:paklo dependabot run --debug -v trace ...
Error: "Cannot read TLS response"
This error typically indicates:
- The certificate path is incorrect or the file doesn't exist
- The certificate doesn't match the server you're connecting to
- You need the full certificate chain, not just the root CA
Testing the Certificate
Test your certificate configuration before running Paklo:
# Test with curl
curl --cacert $CUSTOM_CA_PATH https://your-registry.company.com
# Test with openssl
openssl s_client -connect your-registry.company.com:443 -CAfile $CUSTOM_CA_PATHGetting Your Certificate
From macOS Keychain
# Export from Keychain Access
security find-certificate -a -p > company-certificates.pemFrom Windows Certificate Store
# Export using PowerShell
$cert = Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*YourCompany*"}
$bytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes("company-ca.crt", $bytes)From Linux
On many Linux systems, CA certificates are stored in:
/etc/ssl/certs//usr/local/share/ca-certificates/
From Your Browser
- Visit the site in your browser (e.g.,
https://artifactory.company.com) - Click the padlock icon in the address bar
- Click "Certificate" or "View Certificate"
- Export the certificate in PEM format
Related Documentation
- Private Registries - Configure private package registries
- CLI Reference - Complete CLI documentation
- Troubleshooting - Common issues and solutions
How is this guide?
Last updated on