Monkey patch Meteor to use CA certs from the OS X keychain.

patch-meteor.sh

#!/bin/bash
set -e
# This script monkey-patches MeteorJS to allow it to work from behind a MITM
# proxy that forges SSL keys.  You may need this to get through a corporate
# content-inspection proxy, for example, since Meteor doesn't allow you to
# specify the CA certs to use.

cd "$HOME/.meteor"
cd "$(dirname "$(readlink meteor)")"
cd tools

case "$1" in
    -u) mv index.js.orig index.js; echo "Meteor unpatched"; exit ;;
    -d) pwd ; exit ;;
esac
security find-certificate -ap \
    /Library/Keychains/System.keychain \
    /System/Library/Keychains/SystemRootCertificates.keychain \
    > certs.pem

if grep -q certs index.js; then
    echo "Already patched"
    exit 1
fi

cp index.js index.js.orig
(
cat <<'END';
var cas = [];
var cur = '';
var certs = require('fs').readFileSync( __dirname + '/certs.pem' ).toString();
certs.split("\n").forEach( function( line ) {
    cur += line + "\n";
    if ( line.indexOf( '-----END' ) === 0 ) { cas.push( cur ); cur = ''; }
} );
var isObject = function isObject( obj ) {
    return Object.prototype.toString.call( obj ) == "[object Object]";
};
var tls = require( 'tls' );
var _connect = tls.connect;
tls.connect = function() {
    if ( isObject( arguments[0] ) ) {
        arguments[0].ca = cas;
    } else if ( isObject( arguments[2] ) ) {
        arguments[2].ca = cas;
    } else {
        console.log( "arguments: %o", arguments );
        throw new Error( "Invalid arguments to monkey-patched tls.connect" );
    }
    return _connect.apply( this, arguments );
};
END
cat index.js.orig
) > index.js
echo "Meteor patched"