I am trying to use npm install behind a proxy that intercepts HTTPS connections with a custom CA certificate. I am using Node 16.
The command always fails with:
3023 error code SELF_SIGNED_CERT_IN_CHAIN
3024 error errno SELF_SIGNED_CERT_IN_CHAIN
3025 error request to https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz failed, reason: self signed certificate in certificate chain
I have marked the CA certificate as trusted by the system -- curl -vvv -I https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz succeeds without certificate verification errors.
I have also exported NODE_EXTRA_CA_CERTS=/path/to/my-ca-cert.crt. I think this was key with Node 12 but does not appear to work anymore.
I have also tried passing --use-openssl-ca but observe no change.
I do not want to disable all certificate validation, I just want npm to trust my CA.
This worked to have npm trust the certificates that the system trusts.
export npm_config_cafile=/etc/ssl/certs/ca-certificates.crt
Related
For reference, my MacBook Air is running version 10.14.1.
I've tried to download ghcup by running this command in the terminal:
curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh
However, when I run this command, I recveieve the following error:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Could this error be caused by my MacBook running an old version?
I'm currently getting this error when trying to install (any) NPM package:
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/gulp-cli failed, reason: unable to get local issuer certificate
I'm trying to wrap my head around what exactly NPM is doing - it seems that it's performing some form of mutual TLS where I need to present a client certificate to whatever servers. And from the error, it seems that my certificate is being rejected. I'm not using a VPN and my organisation uses a proxy but it works perfectly for everyone else - I'm the only one being affected. My next thought is to have a look at the certificate being presented but I don't know where this certificate is stored on my computer. How do I determine and find which certificate is being used?
When checking my npm config, the values for ca and cert are null - should these be referencing my certificate info, and if so, are these supposed to be null by default?
I get this error on a fresh install of gitlab. The message looks like:
fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx#gitlab.example.com/something.git/': Peer's
Certificate issuer is not recognized.ERROR: Job
failed: exit status 1
Any suggestions on how to fix it?
Had faced the same problem after enabling verbose mode by following command
export GIT_CURL_VERBOSE=1 and found the following issue:
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Found this following site helpful,But its good when you have entire control for
the proxy server as well to enter the certificates.
http://dropbit.com/?p=168
I instead ran following command to bypass ssl verification by porxy server and it worked
git config --global http.sslVerify "false"
You need to configure /etc/gitlab/gitlab.rb.
Change this line
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"
to
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"
(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)
then restart gitlab and you're done:
$ gitlab-ctl reconfigure
Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.
I have installed azure-cli via npm install -g azure-cli but and am getting self signed certificate in certificate chain:
Any hints appreciated.
You can use troubleshooting guide for the Microsoft Azure Explorer tool for same issue https://support.microsoft.com/en-us/help/4021389/storage-explorer-troubleshooting-guide.
It helped me, with only one tweak needed: openssl command should check connection to management.azure.com and not microsoft.com
So, the command in OpenSSL console will be:
OpenSSL> s_client -showcerts -connect management.azure.com:443
I have found a self-signed certificate in my case (subject = issuer) added by my company IT department. After importing that certificate into ASE (so that ASE can trust that self-issued cert) the problem was solved.
As per the these bug reports it seems that this issue is related to npm using a system/network wide proxy which intercepts the SSL traffic. Update npm config with the https proxy and this issue should be fixed. some have reported that updating npm also has fixed it. check it out.
https://github.com/npm/npm/issues/7519
https://github.com/npm/npm/issues/6916
I was trying to install gitlab on my linux server following this guide and got stucked in the second setp that says
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
any idea on how can I solve this?
ANSWER be sure to have http_proxy and https_proxy variables correctly set.
---- UPDATE ----
After setting the variables I got the following answer from curl
Detected operating system as Ubuntu/trusty.
Checking for curl...
Detected curl...
Running apt-get update... done.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ce.list...curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Unable to run:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/config_file.list?os=Ubuntu&dist=trusty&source=script
Double check your curl installation and try again.
Tell curl to ignore SSL warnings with -k/--insecure. Documented in man curl.
Edit: also check your proxy settings, as the host you're trying to curl to does, in fact, have a valid SSL certificate. See the --proxy option of curl.