npm install error - unable to get local issuer certificate
Solution 1
Typings can be configured with the ~/.typingsrc config file. (~ means your home directory)
After finding this issue on github: https://github.com/typings/typings/issues/120, I was able to hack around this issue by creating ~/.typingsrc and setting this configuration:
{
"proxy": "http://<server>:<port>",
"rejectUnauthorized": false
}
It also seemed to work without the proxy setting, so maybe it was able to pick that up from the environment somewhere.
This is not a true solution, but was enough for typings to ignore the corporate firewall issues so that I could continue working. I'm sure there is a better solution out there.
Solution 2
Try
npm config set strict-ssl false
This is a alternative shared in this url https://github.com/nodejs/node/issues/3742
Solution 3
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
This isn't too difficult once you know how! For Windows:
Using Chrome go to the root URL NPM is complaining about (so https://raw.githubusercontent.com in your case). Open up dev tools and go to Security-> View Certificate. Check Certification path and make sure your at the top level certificate, if not open that one. Now go to "Details" and export the cert with "Copy to File...".
You need to convert this from DER to PEM. There are several ways to do this, but the easiest way I found was an online tool which should be easy to find with relevant keywords.
Now if you open the key with your favorite text editor you should see
-----BEGIN CERTIFICATE-----
yourkey
-----END CERTIFICATE-----
This is the format you need. You can do this for as many keys as you need, and combine them all into one file. I had to do github and the npm registry keys in my case.
Now just edit your .npmrc to point to the file containing your keys like so
cafile=C:\workspace\rootCerts.crt
I have personally found this to perform significantly better behind our corporate proxy as opposed to the strict-ssl option. YMMV.
Solution 4
This worked for me:
export NODE_TLS_REJECT_UNAUTHORIZED=0
Please refer to the NodeJS documentation for usage and warnings: https://nodejs.org/api/cli.html#cli_node_tls_reject_unauthorized_value
Solution 5
Anyone gets this error when 'npm install' is trying to fetch a package from HTTPS server with a self-signed or invalid certificate.
Quick and insecure solution:
npm config set strict-ssl false
Why this solution is insecure? The above command tells npm to connect and fetch module from server even server do not have valid certificate and server identity is not verified. So if there is a proxy server between npm client and actual server, it provided man in middle attack opportunity to an intruder.
Secure solution:
If any module in your package.json is hosted on a server with self-signed CA certificate then npm is unable to identify that server with an available system CA certificates. So you need to provide CA certificate for server validation with the explicit configuration in .npmrc. In .npmrc you need to provide cafile, please refer to more detail about cafile configuration.
cafile=./ca-certs.pem
In ca-certs file, you can add any number of CA certificates(public) that you required to identify servers. The certificate should be in “Base-64 encoded X.509 (.CER)(PEM)” format.
For example,
# cat ca-certs.pem
DigiCert Global Root CA
=======================
-----BEGIN CERTIFICATE-----
CAUw7C29C79Fv1C5qfPrmAE.....
-----END CERTIFICATE-----
VeriSign Class 3 Public Primary Certification Authority - G5
========================================
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQ......
-----END CERTIFICATE-----
Note: once you provide cafile configuration in .npmrc, npm try to identify all server using CA certificate(s) provided in cafile only, it won't check system CA certificate bundles then. Here's a well-known public CA authority certificate bundle.
One other situation when you get this error:
If you have mentioned Git URL as a dependency in package.json and git is on invalid/self-signed certificate then also npm throws a similar error. You can fix it with following configuration for git client
git config --global http.sslVerify false
mindparse
Updated on July 08, 2022Comments
-
mindparse 6 months
I am getting an
unable to get local issuer certificateerror when performing an npm install:typings ERR! message Unable to read typings for "es6-shim". You should check the entry paths in "es6-shim.d.ts" are up to date typings ERR! caused by Unable to connect to "https://raw.githubusercontent.com/D efinitelyTyped/DefinitelyTyped/7de6c3dd94feaeb21f20054b9f30d5dabc5efabd/es6-shim /es6-shim.d.ts" typings ERR! caused by unable to get local issuer certificateI have recently update to node 4 from a much earlier version and it sounds like node is much more strict when these kind of problems arise.
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
I am behind a corporate firewall, but I can get to the url fine in a browser without any restriction.
Does anyone have any further insight into this issue and what possible solutions there are?
I'm wondering about reverting to node 0.12 in the meantime :(
-
Astitva Srivastava about 4 yearsIs it safe to restrict strict-ssl?
-
MichaelRom almost 4 yearsIs it safe? Short answer: No. Long answer, yes, but only if you are on a secure network with a proxy server that does the SSL validation for you. Speak to your network administrator. -
wlf almost 4 yearsBest answer IMO as it works(for me) and it doesn't involve bypassing security checks -
ConorJohn almost 4 yearsWorked for me, not sure why nothing else was. I'm still only getting set up so I'll try a more permanent solution after I'm up and running. Good idea, thanks! -
Neil over 3 yearsStupid question, is it safe to use an online tool to convert my cert? -
Richard Davies about 3 years@Neil, Yes it's safe because the certificate contains the public key. It doesn't contain the private key that must be kept secret. -
Priyank Thakkar about 3 yearsA wellsuited answer if you are behind corporate proxy -
Divyarajsinh Jadeja almost 3 yearsIf the system is behind the secure proxy of company/organization, this kind of error occurs. And for that secure solution should always be preferred. Just to add more to this answers. Following commands can be used to set cafile=./ca-certs.pem in npmrc file. To set the cafile:
npm config set cafile <CERT_FILE_PATH>To verify the set cafile:npm config get cafileFor more information on how to set config please visit, docs.npmjs.com/misc/config#cafile and docs.npmjs.com/cli/config#set -
Nils almost 3 yearsWhen your internet access via secure proxy, npm client gets certificate of site from proxy, In this case if your host OS trust the proxy certificate then its not a issue, other wise you need to configure proxy CA certificate for trust.
-
Sushant Rawat over 2 yearsThe above link is accessible and I have also used the set strict-ssl false command but it is not working still
-
Jeffrey Phillips Freeman about 2 yearsI had this problem, and this answer did not help me, nor did nfiles answer help... -
Volkan Güven about 2 yearsInteresting how this might help for some users but after using npm install, revert the process totrue. -
isherwood over 1 yearThis answer would be better with some explanation or documentation reference. -
rlillbac over 1 yearIn windows, you can directly export the file as a PEM -- Just select the "Base64 Encoded X.509" version instead of the DER version. Also, the certificate doesn't contain yourkey. Instead it contains an X.509 formatted certificate.
-
srian over 1 yearIf you're using yarn:
yarn config set "strict-ssl" false -
uday over 1 yearI'm still getting this warning message. (node:47985) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. npm ERR! prepareGitDep Error making request. npm ERR! prepareGitDep Error: SSL Error: UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-
uday over 1 yearWhat helped me is this stackoverflow.com/a/39764323/2521806
-
RecuencoJones about 1 yearSeems to work on OSX as well! -
Jeremy about 1 yearAwesome, after so many attempts for my work computer... Finally something that works