I am trying to use npm install behind a proxy that intercepts HTTPS connections with a custom CA certificate. I am using Node 16.
The command always fails with:
3023 error code SELF_SIGNED_CERT_IN_CHAIN
3024 error errno SELF_SIGNED_CERT_IN_CHAIN
3025 error request to https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz failed, reason: self signed certificate in certificate chain
I have marked the CA certificate as trusted by the system -- curl -vvv -I https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz succeeds without certificate verification errors.
I have also exported NODE_EXTRA_CA_CERTS=/path/to/my-ca-cert.crt. I think this was key with Node 12 but does not appear to work anymore.
I have also tried passing --use-openssl-ca but observe no change.
I do not want to disable all certificate validation, I just want npm to trust my CA.
This worked to have npm trust the certificates that the system trusts.
export npm_config_cafile=/etc/ssl/certs/ca-certificates.crt
I get this error on a fresh install of gitlab. The message looks like:
fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx#gitlab.example.com/something.git/': Peer's
Certificate issuer is not recognized.ERROR: Job
failed: exit status 1
Any suggestions on how to fix it?
Had faced the same problem after enabling verbose mode by following command
export GIT_CURL_VERBOSE=1 and found the following issue:
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Found this following site helpful,But its good when you have entire control for
the proxy server as well to enter the certificates.
http://dropbit.com/?p=168
I instead ran following command to bypass ssl verification by porxy server and it worked
git config --global http.sslVerify "false"
You need to configure /etc/gitlab/gitlab.rb.
Change this line
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"
to
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"
(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)
then restart gitlab and you're done:
$ gitlab-ctl reconfigure
Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.
I am getting an unable to get local issuer certificate error when performing an npm install:
typings ERR! message Unable to read typings for "es6-shim". You should check the
entry paths in "es6-shim.d.ts" are up to date
typings ERR! caused by Unable to connect to "https://raw.githubusercontent.com/D
efinitelyTyped/DefinitelyTyped/7de6c3dd94feaeb21f20054b9f30d5dabc5efabd/es6-shim
/es6-shim.d.ts"
typings ERR! caused by unable to get local issuer certificate
I have recently update to node 4 from a much earlier version and it sounds like node is much more strict when these kind of problems arise.
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
I am behind a corporate firewall, but I can get to the url fine in a browser without any restriction.
Does anyone have any further insight into this issue and what possible solutions there are?
I'm wondering about reverting to node 0.12 in the meantime :(
Try
npm config set strict-ssl false
This is a alternative shared in this url https://github.com/nodejs/node/issues/3742
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
This isn't too difficult once you know how! For Windows:
Using Chrome go to the root URL NPM is complaining about (so https://raw.githubusercontent.com in your case).
Open up dev tools and go to Security-> View Certificate. Check Certification path and make sure your at the top level certificate, if not open that one. Now go to "Details" and export the cert with "Copy to File...".
You need to convert this from DER to PEM. There are several ways to do this, but the easiest way I found was an online tool which should be easy to find with relevant keywords.
Now if you open the key with your favorite text editor you should see
-----BEGIN CERTIFICATE-----
yourkey
-----END CERTIFICATE-----
This is the format you need. You can do this for as many keys as you need, and combine them all into one file. I had to do github and the npm registry keys in my case.
Now just edit your .npmrc to point to the file containing your keys like so
cafile=C:\workspace\rootCerts.crt
I have personally found this to perform significantly better behind our corporate proxy as opposed to the strict-ssl option. YMMV.
This worked for me:
export NODE_TLS_REJECT_UNAUTHORIZED=0
Please refer to the NodeJS documentation for usage and warnings:
https://nodejs.org/api/cli.html#cli_node_tls_reject_unauthorized_value
Anyone gets this error when 'npm install' is trying to fetch a package from HTTPS server with a self-signed or invalid certificate.
Quick and insecure solution:
npm config set strict-ssl false
Why this solution is insecure?
The above command tells npm to connect and fetch module from server even server do not have valid certificate and server identity is not verified. So if there is a proxy server between npm client and actual server, it provided man in middle attack opportunity to an intruder.
Secure solution:
If any module in your package.json is hosted on a server with self-signed CA certificate then npm is unable to identify that server with an available system CA certificates.
So you need to provide CA certificate for server validation with the explicit configuration in .npmrc.
In .npmrc you need to provide cafile, please refer to more detail about cafile configuration.
cafile=./ca-certs.pem
In ca-certs file, you can add any number of CA certificates(public) that you required to identify servers. The certificate should be in “Base-64 encoded X.509 (.CER)(PEM)” format.
For example,
# cat ca-certs.pem
DigiCert Global Root CA
=======================
-----BEGIN CERTIFICATE-----
CAUw7C29C79Fv1C5qfPrmAE.....
-----END CERTIFICATE-----
VeriSign Class 3 Public Primary Certification Authority - G5
========================================
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQ......
-----END CERTIFICATE-----
Note: once you provide cafile configuration in .npmrc, npm try to identify all server using CA certificate(s) provided in cafile only, it won't check system CA certificate bundles then.
Here's a well-known public CA authority certificate bundle.
One other situation when you get this error:
If you have mentioned Git URL as a dependency in package.json and git is on invalid/self-signed certificate then also npm throws a similar error.
You can fix it with following configuration for git client
git config --global http.sslVerify false
Typings can be configured with the ~/.typingsrc config file. (~ means your home directory)
After finding this issue on github: https://github.com/typings/typings/issues/120, I was able to hack around this issue by creating ~/.typingsrc and setting this configuration:
{
"proxy": "http://<server>:<port>",
"rejectUnauthorized": false
}
It also seemed to work without the proxy setting, so maybe it was able to pick that up from the environment somewhere.
This is not a true solution, but was enough for typings to ignore the corporate firewall issues so that I could continue working. I'm sure there is a better solution out there.
If you're on a corporate computer, it likely has custom certificates (note the plural on that). It took a while to figure out, but I've been using this little script to grab everything and configure Node, NPM, Yarn, AWS, and Git (turns out the solution is similar for most tools). Stuff this in your ~/.bashrc or ~/.zshrc or similar location:
function setup-certs() {
# place to put the combined certs
local cert_path="$HOME/.certs/all.pem"
local cert_dir=$(dirname "${cert_path}")
[[ -d "${cert_dir}" ]] || mkdir -p "${cert_dir}"
# grab all the certs
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > "${cert_path}"
security find-certificate -a -p /Library/Keychains/System.keychain >> "${cert_path}"
# configure env vars for commonly used tools
export GIT_SSL_CAINFO="${cert_path}"
export AWS_CA_BUNDLE="${cert_path}"
export NODE_EXTRA_CA_CERTS="${cert_path}"
# add the certs for npm and yarn
# and since we have certs, strict-ssl can be true
npm config set -g cafile "${cert_path}"
npm config set -g strict-ssl true
yarn config set cafile "${cert_path}" -g
yarn config set strict-ssl true -g
}
setup-certs
You can then, at any time, run setup-certs in your terminal. Note that if you're using Nvm to manage Node versions, you'll need to run this for each version of Node. I've noticed that some corporate certificates get rotated every so often. Simply re-running setup-certs fixes all that.
You'll notice that most answers suggest setting strict-ssl to false. Please don't do that. Instead use the setup-certs solution to use the actual certificates.
My problem was that my company proxy was getting in the way. The solution here was to identify the Root CA / certificate chain of our proxy, (on mac) export it from the keychain in .pem format, then export a variable for node to use.
export NODE_EXTRA_CA_CERTS=/path/to/your/CA/cert.pem
There are different reason for this issue and workaround is different depends on situation. Listing here few workaround (note: it is insecure workaround so please check your organizational policies before trying).
Step 1: Test and ensure internet is working on machine with command prompt and same url is accessible directly which fails by NPM. There are many tools for this, like curl, wget etc. If you are using windows then try telnet or curl for windows.
Step 2: Set strict ssl to false by using below command
npm -g config set strict-ssl false
Step 3: Set reject unauthorized TLS to no by using below command:
export NODE_TLS_REJECT_UNAUTHORIZED=0
In case of windows (or can use screen to set environment variable):
set NODE_TLS_REJECT_UNAUTHORIZED=0
Step 4: Add unsafe param in installation command e.g.
npm i -g abc-package#1.0 --unsafe-perm true
In case you use yarn:
yarn config set strict-ssl false
Add:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
Source: Ignore invalid self-signed ssl certificate in node.js with https.request?
I have encountered the same issue. This command didn't work for me either:
npm config set strict-ssl false
After digging deeper, I found out that this link was block by our IT admin.
http://registry.npmjs.org/npm
So if you are facing the same issue, make sure this link is accessible to your browser first.
For anyone coming to this from macOS:
Somehow, npm hasn't picked up correct certificates file location, and I needed to explicitly point to it:
$ echo "cafile=$(brew --prefix)/share/ca-certificates/cacert.pem" >> ~/.npmrc
$ cat ~/.npmrc # for ARM macOS
cafile=/opt/homebrew/share/ca-certificates/cacert.pem
Well this is not a right answer but can be consider as a quick workaround. Right answer is turn off Strict SSL.
I am having the same error
PhantomJS not found on PATH
Downloading https://github.com/Medium/phantomjs/releases/download/v2.1.1/phantomjs-2.1.1-windows.zip
Saving to C:\Users\Sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Receiving...
Error making request.
Error: unable to get local issuer certificate
at TLSSocket. (_tls_wrap.js:1105:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:639:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
So the after reading the error.
Just downloaded the file manually and placed it on the required path.
i.e
C:\Users\Sam\AppData\Local\Temp\phantomjs\
This solved my problem.
PhantomJS not found on PATH
Download already available at C:\Users\sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Verified checksum of previously downloaded file
Extracting zip contents
A disclaimer: This solution is less secure, bad practice, don't do this.
I had a duplicate error message--I'm behind a corporate VPN/firewall. I was able to resolve this issue by adding a .typingsrc file to my user directory (C:\Users\MyUserName\.typingsrc in windows). Of course, anytime you're circumventing SSL you should be yapping to your sys admins to fix the certificate issue.
Change the registry URL from https to http, and as seen in nfiles' answser above, set rejectUnauthorized to false.
.typingsrc (placed in project directory or in user root directory)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/"
}
Optionally add your github token (I didn't find success until I had added this too.)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/",
"githubToken": "YourGitHubToken"
}
See instructions for setting up your github token at https://github.com/blog/1509-personal-api-tokens
Once you have your certificate (cer or pem file), add it as a system variable like in the screenshot below.
This is the secure way of solving the problem, rather than disabling SSL. You have to tell npm or whatever node tool you're using to use these certificates when establing an SSL connection using the environment variable NODE_EXTRA_CA_CERTS.
This is common when you're behind a corporate firewall or proxy. You can find the correct certificate by just inspecting the security tab in Chrome when visiting a page while on your company's VPN or proxy and exporting the certificate through the "Manage Computer Certificates" window in Windows.
On FreeBSD, this error can be produced because the cafile path is set to a symlink instead of the absolute path.
I have a git repo on a personal server, which uses a self-signed certificate.
What I'd like to do is to add this CA to npm's trusted one(s), in order to install packages from repo like this:
npm install git+https://domain.tld/repo.git
The following commands allowed me to trust my server, but after that, my local npm does not trust npm.org repo anymore.
npm config set cafile=/usr/local/share/ca-certificates/domain.tld/ca.crt
npm config set ca="content-of-my-cert"
NB: It works well with git+ssh:// but as other people will consume this package, I don't want to add a new trusted ssh key every time there's a new consumer...
Your setting of the cafile and ca is wiping out the default trusted CA certs. You can trust multiple CA certs using an array of ca[] like this:
npm config set ca[]="content_of_your_CA_cert"
npm config set ca[]="content_of_the_npm_root_cert"
npm config set ca[]="content_of_the_npm_intermediate_cert"
P.S. - npm.org is National Association of Pastoral Musicians. If you meant npmjs.com, that cert is currently signed by DigiCert using this intermediate cert and this root cert.