From 4ae410cccd9a44ef5f798b87f89919ddab246e9f Mon Sep 17 00:00:00 2001
From: Alan Agius <17563226+alan-agius4@users.noreply.github.com>
Date: Mon, 8 Dec 2025 08:39:49 +0000
Subject: [PATCH] fix(@angular/build): support NODE_EXTRA_CA_CERTS in SSR SSL
 plugin

This commit adds support for the 'NODE_EXTRA_CA_CERTS' environment variable when configuring the global dispatcher for the SSR SSL plugin. This ensures that custom CA certificates specified via this environment variable are correctly trusted.

Closes #31983
---
 .../src/tools/vite/plugins/ssr-ssl-plugin.ts  | 26 ++++++++++++++-----
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts b/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts
index 0cde7f89ef0a..80ddf56e739a 100644
--- a/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts
+++ b/packages/angular/build/src/tools/vite/plugins/ssr-ssl-plugin.ts
@@ -6,7 +6,8 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
-import { rootCertificates } from 'node:tls';
+import { readFile } from 'node:fs/promises';
+import { getCACertificates, rootCertificates, setDefaultCACertificates } from 'node:tls';
 import type { Plugin } from 'vite';
 
 export function createAngularServerSideSSLPlugin(): Plugin {
@@ -35,17 +36,30 @@ export function createAngularServerSideSSLPlugin(): Plugin {
         httpServer.ALPNProtocols = ['http/1.1'];
       }
 
-      // TODO(alanagius): Replace `undici` with `tls.setDefaultCACertificates` once we only support Node.js 22.18.0+ and 24.5.0+.
-      // See: https://nodejs.org/api/tls.html#tlssetdefaultcacertificatescerts
+      const { cert } = https;
+      const additionalCerts = Array.isArray(cert) ? cert : [cert];
+
+      // TODO(alanagius): Remove the `if` check once we only support Node.js 22.18.0+ and 24.5.0+.
+      if (getCACertificates && setDefaultCACertificates) {
+        const currentCerts = getCACertificates('default');
+        setDefaultCACertificates([...currentCerts, ...additionalCerts]);
+
+        return;
+      }
+
+      // TODO(alanagius): Remove the below and `undici` dependency once we only support Node.js 22.18.0+ and 24.5.0+.
       const { getGlobalDispatcher, setGlobalDispatcher, Agent } = await import('undici');
       const originalDispatcher = getGlobalDispatcher();
-      const { cert } = https;
-      const certificates = Array.isArray(cert) ? cert : [cert];
+      const ca = [...rootCertificates, ...additionalCerts];
+      const extraNodeCerts = process.env['NODE_EXTRA_CA_CERTS'];
+      if (extraNodeCerts) {
+        ca.push(await readFile(extraNodeCerts));
+      }
 
       setGlobalDispatcher(
         new Agent({
           connect: {
-            ca: [...rootCertificates, ...certificates],
+            ca,
           },
         }),
       );