Version
v26.4.0
Platform
Linux jvm1 6.17.0-1025-oem #25-Ubuntu SMP PREEMPT_DYNAMIC Fri May 29 12:11:29 UTC 2026 x86_64 GNU/Linux
Subsystem
tls
What steps will reproduce the bug?
- Run
NODE_OPTIONS="--use-openssl-ca" node -e 'console.log("Default certificates:", tls.getCACertificates("default")); fetch("https://example.org").then(rsp => console.log("HTTP status code:", rsp.status));'
Its output (provided your default OpenSSL certs are fairly standard) will be:
Default certificates: []
HTTP status code: 200
As can be seen, the request to https://example.org succeeds despite us having no default certificates according to tls.getCACertificates("default")
How often does it reproduce? Is there a required condition?
Always
What is the expected behavior? Why is that the expected behavior?
I would expect tls.getCACertificates("default") to return the certificates provided by OpenSSL that NodeJS uses to verify the certificate chain. I expect this since the documentation for the "default" type in tls.getCACertificates states: "return the CA certificates that will be used by the Node.js TLS clients by default".
What do you see instead?
An empty array
Additional information
Invoking tls.setDefaultCACertificates([]) and fetching https://example.org afterwards does cause UNABLE_TO_GET_ISSUER_CERT_LOCALLY
Version
v26.4.0
Platform
Subsystem
tls
What steps will reproduce the bug?
NODE_OPTIONS="--use-openssl-ca" node -e 'console.log("Default certificates:", tls.getCACertificates("default")); fetch("https://example.org").then(rsp => console.log("HTTP status code:", rsp.status));'Its output (provided your default OpenSSL certs are fairly standard) will be:
As can be seen, the request to https://example.org succeeds despite us having no default certificates according to
tls.getCACertificates("default")How often does it reproduce? Is there a required condition?
Always
What is the expected behavior? Why is that the expected behavior?
I would expect
tls.getCACertificates("default")to return the certificates provided by OpenSSL that NodeJS uses to verify the certificate chain. I expect this since the documentation for the"default"type intls.getCACertificatesstates: "return the CA certificates that will be used by the Node.js TLS clients by default".What do you see instead?
An empty array
Additional information
Invoking
tls.setDefaultCACertificates([])and fetchinghttps://example.orgafterwards does causeUNABLE_TO_GET_ISSUER_CERT_LOCALLY