TLS AND PROXIES
Swamp consults the operating system's certificate trust store in addition to Deno's bundled Mozilla root certificates. Three environment variables control TLS certificate resolution. All three are evaluated on startup, before any network call. User-set values are never overwritten.
Environment Variables
| Variable | Purpose | Default |
|---|---|---|
DENO_TLS_CA_STORE |
Certificate stores to consult | system,mozilla (set by swamp) |
DENO_CERT |
Path to a PEM file with additional CA certificates | (unset) |
SSL_CERT_FILE |
OpenSSL-convention path to a PEM CA bundle | (unset — mapped to DENO_CERT) |
DENO_TLS_CA_STORE
Controls which certificate stores Deno uses for TLS verification. Accepted values:
| Value | Behavior |
|---|---|
system |
OS trust store only |
mozilla |
Deno's bundled Mozilla roots only |
system,mozilla |
Both stores merged (swamp default when variable unset) |
When DENO_TLS_CA_STORE is not set, swamp sets it to system,mozilla on
startup.
DENO_TLS_CA_STORE=system swamp workflow run deployDENO_CERT
Path to a PEM-encoded file containing one or more additional CA certificates. Certificates in this file are trusted in addition to those from the configured trust stores.
DENO_CERT=/etc/ssl/corporate-ca.pem swamp workflow run deploySwamp does not modify DENO_CERT when it is already set.
SSL_CERT_FILE
The OpenSSL-convention environment variable pointing to a PEM CA bundle. Deno
does not read SSL_CERT_FILE natively. On startup, swamp copies the value of
SSL_CERT_FILE into DENO_CERT when DENO_CERT is not already set. If
DENO_CERT is present, SSL_CERT_FILE has no effect.
SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt swamp workflow run deployLimitations
SSL_CERT_DIR (the OpenSSL certificate-directory convention) is not supported.
DENO_CERT accepts a single PEM file, not a directory of certificate files.