JS SDK does not support CA bundle configuration

[jkenn99]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone though Developer Guide and API reference
• I've checked AWS Forums and StackOverflow for answers
• I've searched for previous similar issues and didn't find any solution

Describe the bug
The AWS CLI and other SDKs support configuration of a custom SSL/TLS CA bundle path using the AWS_CA_BUNDLE environment variable or ca_bundle key in ~/.aws/config. Neither of these are supported by the JS SDK.

Is the issue in the browser/Node.js?
Node.js

If on Node.js, are you running this on AWS Lambda?
N/A

Details of the browser/Node.js version
v10.17.0

SDK version number
2.576.0

To Reproduce (observed behavior)
My corporate network uses TLS interception with an internal root CA. This CA is added to a custom CA bundle set in ~/.aws/config:

[default]
ca_bundle = /path/to/ca-bundle.trust.crt

When attempting to make any requests using the AWS JS SDK, I get something like the following result:

Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
    at TLSSocket.emit (events.js:198:13)
    at TLSSocket.EventEmitter.emit (domain.js:448:20)
    at TLSSocket._finishInit (_tls_wrap.js:636:8)
  message: 'self signed certificate in certificate chain',
  code: 'NetworkingError',
  region: 'us-east-1',
  hostname: 'sts.amazonaws.com',
  retryable: true,
  time: 2019-11-21T23:48:23.555Z

Expected behavior
The JS SDK should match the behaviour of the CLI and other SDKs with support for a custom CA bundle.

[ajredniwja]

Hey @jkenn99,

Thank-you for reaching out to us with your issue. The CLI provides with a lot of customization options however other SDKs may implement the functionality differently. To load CA bundle using JS-SDK you can see the issue #662.

Marking this as a feature request for maybe let the SDK team work on it in the future.

[jkenn99]

Hi @ajredniwja that actually doesn't work, I think it is since httpOptions isn't passed through to the agent options but I'm not sufficiently familiar with the code.
Does the JS SDK use ~/.aws/config at all? If so, why some parameters and not this one?

[ajredniwja]

Hi @ajredniwja that actually doesn't work, I think it is since httpOptions isn't passed through to the agent options but I'm not sufficiently familiar with the code.
Does the JS SDK use ~/.aws/config at all? If so, why some parameters and not this one?

Apologies, I lost track of this, have you checked the StackOverflow answer which explains how it is done ?

[github-actions]

Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.

[jakauppila]

In my opinion this should still be implemented to bring the JS SDK up to the level of the other SDKs.