cloudflare · threepointone · May 11, 2022 · May 11, 2022 · petebacondarwin · May 11, 2022
diff --git a/.changeset/perfect-drinks-switch.md b/.changeset/perfect-drinks-switch.md
@@ -0,0 +1,18 @@
+---
+"wrangler": patch
+---
+
+fix: work with Cloudflare WARP
+
+Using wrangler with Cloudflare WARP (https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/) requires using the Cloudflare certificate. This patch simply uses the certificate as NODE_EXTRA_CA_CERTS when we start wrangler.
+
+Test plan:
+
+- Turn on Cloudflare WARP/ Gateway with WARP
+- `wrangler dev`
+- Turn on Cloudflare WARP/ Gateway with DoH
+- `wrangler dev`
+- Turn off Cloudflare WARP
+- `wrangler dev`
+
+Fixes https://github.com/cloudflare/wrangler2/issues/953, https://github.com/cloudflare/wrangler2/issues/850
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAkygAwIBAgIUI7b68p0pPrCBoW4ptlyvVcPItscwCgYIKoZIzj0EAwQw
+gY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRgwFgYDVQQKEw9DbG91ZGZsYXJlLCBJbmMxNzA1BgNVBAMT
+LkNsb3VkZmxhcmUgZm9yIFRlYW1zIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+HhcNMjAwMjA0MTYwNTAwWhcNMjUwMjAyMTYwNTAwWjCBjTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGDAW
+BgNVBAoTD0Nsb3VkZmxhcmUsIEluYzE3MDUGA1UEAxMuQ2xvdWRmbGFyZSBmb3Ig
+VGVhbXMgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUr
+gQQAIwOBhgAEAVdXsX8tpA9NAQeEQalvUIcVaFNDvGsR69ysZxOraRWNGHLfq1mi
+P6o3wtmtx/C2OXG01Cw7UFJbKl5MEDxnT2KoAdFSynSJOF2NDoe5LoZHbUW+yR3X
+FDl+MF6JzZ590VLGo6dPBf06UsXbH7PvHH2XKtFt8bBXVNMa5a21RdmpD0Pho0Uw
+QzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQU
+YBcQng1AEMMNteuRDAMG0/vgFe0wCgYIKoZIzj0EAwQDgYwAMIGIAkIBQU5OTA2h
+YqmFk8paan5ezHVLcmcucsfYw4L/wmeEjCkczRmCVNm6L86LjhWU0v0wER0e+lHO
+3efvjbsu8gIGSagCQgEBnyYMP9gwg8l96QnQ1khFA1ljFlnqc2XgJHDSaAJC0gdz
++NV3JMeWaD2Rb32jc9r6/a7xY0u0ByqxBQ1OQ0dt7A==
+-----END CERTIFICATE-----
@@ -20,6 +20,20 @@ Consider using a Node.js version manager such as https://volta.sh/ or https://gi
     return;
   }
 
+  let pathToCACerts = process.env.NODE_EXTRA_CA_CERTS;
+  if (pathToCACerts) {
+    // TODO:
+    // - should we log a warning here?
+    // - maybe we can generate a certificate that concatenates with ours?
+    // - is there a security concern/should we cleanup after we exit?
+    //
+    //  I do think it'll be rare that someone wants to add a cert AND
+    //  use cloudflare WARP, but let's wait till the situation actually
+    //  arises before we do anything about it
+  } else {
+    pathToCACerts = join(__dirname, "../Cloudflare_CA.pem");
+  }
+
   wranglerProcess = spawn(
     process.execPath,
     [
@@ -32,7 +46,13 @@ Consider using a Node.js version manager such as https://volta.sh/ or https://gi
       join(__dirname, "../wrangler-dist/cli.js"),
       ...process.argv.slice(2),
     ],
-    { stdio: "inherit" }
+    {
+      stdio: "inherit",
+      env: {
+        ...process.env,
+        NODE_EXTRA_CA_CERTS: pathToCACerts,
+      },
+    }
   ).on("exit", (code) =>
     process.exit(code === undefined || code === null ? 0 : code)
   );

@@ -110,7 +110,8 @@
     "wrangler-dist",
     "templates",
     "vendor",
-    "import_meta_url.js"
+    "import_meta_url.js",
+    "Cloudflare_CA.pem"
   ],
   "scripts": {
     "clean": "rm -rf wrangler-dist miniflare-dist",