From e6cb35b7c2dc45349a9cf0819aa21228aea03e26 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Sun, 15 Jun 2025 21:42:25 +0200
Subject: [PATCH] feat(integrations): add support for self-signed-cert-in-chain
 request error (#3399)

---
 .../test-connection-certificate.tsx             | 17 ++++++++++++-----
 .../integration/map-test-connection-error.ts    |  2 ++
 .../common/src/errors/http/request-error.ts     |  7 ++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/apps/nextjs/src/app/[locale]/manage/integrations/_components/test-connection/test-connection-certificate.tsx b/apps/nextjs/src/app/[locale]/manage/integrations/_components/test-connection/test-connection-certificate.tsx
index a84302b55..1a9de69a6 100644
--- a/apps/nextjs/src/app/[locale]/manage/integrations/_components/test-connection/test-connection-certificate.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/_components/test-connection/test-connection-certificate.tsx
@@ -30,6 +30,8 @@ export const CertificateErrorDetails = ({ error, url }: CertificateErrorDetailsP
   const { mutateAsync: trustHostnameAsync } = clientApi.certificates.trustHostnameMismatch.useMutation();
   const { mutateAsync: addCertificateAsync } = clientApi.certificates.addCertificate.useMutation();
 
+  const rootCertificate = getHeighestCertificate(error.data.certificate);
+
   const handleTrustHostname = () => {
     const { hostname } = new URL(url);
     openConfirmModal({
@@ -72,7 +74,7 @@ export const CertificateErrorDetails = ({ error, url }: CertificateErrorDetailsP
         const formData = new FormData();
         formData.append(
           "file",
-          new File([error.data.certificate.pem], `${hostname}-${createId()}.crt`, {
+          new File([rootCertificate.pem], `${hostname}-${createId()}.crt`, {
             type: "application/x-x509-ca-cert",
           }),
         );
@@ -110,11 +112,11 @@ export const CertificateErrorDetails = ({ error, url }: CertificateErrorDetailsP
     <>
       {description}
 
-      <CertificateDetailsCard certificate={error.data.certificate} />
+      <CertificateDetailsCard certificate={rootCertificate} />
 
       {error.data.reason === "hostnameMismatch" && <HostnameMismatchAlert />}
 
-      {!error.data.certificate.isSelfSigned && error.data.reason === "untrusted" && <CertificateExtractAlert />}
+      {!rootCertificate.isSelfSigned && error.data.reason === "untrusted" && <CertificateExtractAlert />}
 
       {showRetryButton && (
         <Button
@@ -127,7 +129,7 @@ export const CertificateErrorDetails = ({ error, url }: CertificateErrorDetailsP
         </Button>
       )}
 
-      {(error.data.reason === "untrusted" && error.data.certificate.isSelfSigned) ||
+      {(error.data.reason === "untrusted" && rootCertificate.isSelfSigned) ||
       error.data.reason === "hostnameMismatch" ? (
         <Button
           variant="default"
@@ -137,7 +139,7 @@ export const CertificateErrorDetails = ({ error, url }: CertificateErrorDetailsP
           {tError("certificate.action.trust.label")}
         </Button>
       ) : null}
-      {error.data.reason === "untrusted" && !error.data.certificate.isSelfSigned ? (
+      {error.data.reason === "untrusted" && !rootCertificate.isSelfSigned ? (
         <Button
           variant="default"
           fullWidth
@@ -325,3 +327,8 @@ const PemContentModal = createModal<{ content: string }>(({ actions, innerProps
   },
   size: "lg",
 });
+
+const getHeighestCertificate = (certificate: MappedCertificate): MappedCertificate => {
+  if (certificate.issuerCertificate) return getHeighestCertificate(certificate.issuerCertificate);
+  return certificate;
+};
diff --git a/packages/api/src/router/integration/map-test-connection-error.ts b/packages/api/src/router/integration/map-test-connection-error.ts
index 66620235a..d0805b6ec 100644
--- a/packages/api/src/router/integration/map-test-connection-error.ts
+++ b/packages/api/src/router/integration/map-test-connection-error.ts
@@ -36,6 +36,7 @@ const mapError = (error: Error): MappedError => {
 export interface MappedCertificate {
   isSelfSigned: boolean;
   issuer: string;
+  issuerCertificate?: MappedCertificate;
   subject: string;
   serialNumber: string;
   validFrom: Date;
@@ -47,6 +48,7 @@ export interface MappedCertificate {
 const mapCertificate = (certificate: X509Certificate, code: RequestErrorCode): MappedCertificate => ({
   isSelfSigned: certificate.ca || code === "DEPTH_ZERO_SELF_SIGNED_CERT",
   issuer: certificate.issuer,
+  issuerCertificate: certificate.issuerCertificate ? mapCertificate(certificate.issuerCertificate, code) : undefined,
   subject: certificate.subject,
   serialNumber: certificate.serialNumber,
   validFrom: certificate.validFromDate,
diff --git a/packages/common/src/errors/http/request-error.ts b/packages/common/src/errors/http/request-error.ts
index d294706fc..6308167be 100644
--- a/packages/common/src/errors/http/request-error.ts
+++ b/packages/common/src/errors/http/request-error.ts
@@ -36,7 +36,12 @@ export const requestErrorMap = {
     expired: ["CERT_HAS_EXPIRED"],
     hostnameMismatch: ["ERR_TLS_CERT_ALTNAME_INVALID", "CERT_COMMON_NAME_INVALID"],
     notYetValid: ["CERT_NOT_YET_VALID"],
-    untrusted: ["DEPTH_ZERO_SELF_SIGNED_CERT", "UNABLE_TO_VERIFY_LEAF_SIGNATURE", "UNABLE_TO_GET_ISSUER_CERT_LOCALLY"],
+    untrusted: [
+      "DEPTH_ZERO_SELF_SIGNED_CERT",
+      "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+      "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+      "SELF_SIGNED_CERT_IN_CHAIN",
+    ],
   },
   connection: {
     hostUnreachable: "EHOSTUNREACH",