diff --git a/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts b/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts index 0cde7f89ef0a..80ddf56e739a 100644 --- a/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts +++ b/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts @@ -6,7 +6,8 @@ * found in the LICENSE file at https://angular.dev/license */ -import { rootCertificates } from 'node:tls'; +import { readFile } from 'node:fs/promises'; +import { getCACertificates, rootCertificates, setDefaultCACertificates } from 'node:tls'; import type { Plugin } from 'vite'; export function createAngularServerSideSSLPlugin(): Plugin { @@ -35,17 +36,30 @@ export function createAngularServerSideSSLPlugin(): Plugin { httpServer.ALPNProtocols = ['http/1.1']; } - // TODO(alanagius): Replace `undici` with `tls.setDefaultCACertificates` once we only support Node.js 22.18.0+ and 24.5.0+. - // See: https://nodejs.org/api/tls.html#tlssetdefaultcacertificatescerts + const { cert } = https; + const additionalCerts = Array.isArray(cert) ? cert : [cert]; + + // TODO(alanagius): Remove the `if` check once we only support Node.js 22.18.0+ and 24.5.0+. + if (getCACertificates && setDefaultCACertificates) { + const currentCerts = getCACertificates('default'); + setDefaultCACertificates([...currentCerts, ...additionalCerts]); + + return; + } + + // TODO(alanagius): Remove the below and `undici` dependency once we only support Node.js 22.18.0+ and 24.5.0+. const { getGlobalDispatcher, setGlobalDispatcher, Agent } = await import('undici'); const originalDispatcher = getGlobalDispatcher(); - const { cert } = https; - const certificates = Array.isArray(cert) ? cert : [cert]; + const ca = [...rootCertificates, ...additionalCerts]; + const extraNodeCerts = process.env['NODE_EXTRA_CA_CERTS']; + if (extraNodeCerts) { + ca.push(await readFile(extraNodeCerts)); + } setGlobalDispatcher( new Agent({ connect: { - ca: [...rootCertificates, ...certificates], + ca, }, }), );