[Feature Request]: Electron does not respect NODE_EXTRA_CA_CERTS

[gcobr]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a bug report that matches the one I want to file, without success.

Electron Version

29.0.0

What operating system are you using?

macOS

Operating System Version

Sonoma 14.4 (23E214)

What arch are you using?

arm64 (including Apple Silicon)

Last Known Working Electron version

No response

Expected Behavior

Electron when running as Node should respect the NODE_EXTRA_CA_CERTS variable and use the additional certificates in the bundle informed for SSL. This is critical when behind a corporate proxy that replaces certificates in the chain by self signed ones that have to be trusted on a case by case basis.

We should be able to achieve the following with Electron:

user@macOSParallels experiment % NODE_EXTRA_CA_CERTS=~/ca/ca-cert-bundle.pem node                                       
Welcome to Node.js v21.7.1.
Type ".help" for more information.
> fetch("https://www.facebook.com").then(data => console.log("**** OK ****")).catch(e => console.error(e));
Promise {
  <pending>,
  [Symbol(async_id_symbol)]: 53,
  [Symbol(trigger_async_id_symbol)]: 52
}
> **** OK ****

(Electron version)

user@macOSParallels experiment % npm list -g                                                                     
/opt/homebrew/lib
├── elecron@0.0.1-security
├── electron@29.0.0
└── npm@10.5.0

Actual Behavior

NODE_EXTRA_CA_CERTS is not respected.

user@macOSParallels experiment % ELECTRON_RUN_AS_NODE=1 NODE_EXTRA_CA_CERTS="/Users/user/ca/ca-cert-bundle.pem" electron          
Welcome to Node.js v20.9.0.
Type ".help" for more information.
> process.env.NODE_EXTRA_CA_CERTS
'/Users/user/ca/ca-cert-bundle.pem'
> fetch("https://www.facebook.com").then(data => console.log("**** OK ****")).catch(e => console.error(e));
Promise {
  <pending>,
  [Symbol(async_id_symbol)]: 152,
  [Symbol(trigger_async_id_symbol)]: 151
}
> TypeError: fetch failed
    at Object.fetch (node:internal/deps/undici/undici:12293:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  cause: Error: unable to verify the first certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)
      at TLSSocket.emit (node:events:514:28)
      at TLSSocket.emit (node:domain:551:15)
      at TLSSocket._finishInit (node:_tls_wrap:1070:8)
      at ssl.onhandshakedone (node:_tls_wrap:856:12)
      at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) {
    code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
  }
}

Testcase Gist URL

No response

Additional Information

People at Microsoft had to implement a workaround in VSCode's codebase to make use of NODE_EXTRA_CA_CERTS.
I don't think this should have been needed: devcontainers/cli#559

[gcobr]

To @codebytere's attention

[codebytere]

@gcobr PR is up at #41689