Fresh certificate has incorrect expiration date

[lukasz-gladek-av]

While doing bower install I get following error:

#0 1.681 bower angular-elastic#2.4.2 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-elastic failed: certificate has expired
ERROR: failed to solve: process "/bin/bash -o pipefail -c bower install" did not complete successfully: exit code: 1

bower.io cert looks fine, but going to https://registry.bower.io/packages/angular-elastic it shows that cert is issued today, but it expires yesterday

[mchrapek]

It's true that the certificate is issued today, but its expiration date is July 23.

It seems to me that something wrong with the new certificate because we have the same problem:

bower angular#~1.5.0  CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular failed: certificate has expired

[PankajPatel007]

I too facing the same issue.

(node:16801) [DEP0022] DeprecationWarning: os.tmpDir() is deprecated. Use os.tmpdir() instead. Warning: Request to https://registry.bower.io/packages/angular-resource failed: certificate has expired Use --force to continue.`

[pejorativefox]

Also seeing this in our CI/CD pipelines.

[ajayarjunan]

Same here, the SSL certificate needs to be properly created and installed for https://registry.bower.io/packages/ to get this resolved:

[ajayarjunan]

As @mchrapek mentioned here:- https://github.com/bower/bower/issues/2608#issuecomment-1519835378, adding "strict-ssl": false to .bowerrc file made it worked

Edit: This is not a recommended approach, but for testing only.

[mchrapek]

but I don't recommend this solution, disabling SSL can be dangerous, I did this just to check if the problem is with SSL

[galregev]

Im experiencing this behaviour from my Jenkins CI/CD for Docker image creation. Is there any temp solution? such as alterative registry? I don't want to disable SSL.

[khoros-chandrakala]

any idea when this can be sorted out, CI/CD is having the cert issue with installing the bower, looking for some solution without disabling SSL

[ajayarjunan]

From what we have noticed, this issue seems to be happening in the servers/machines that was already performing bower commands, which has some SSL certificate caching present during the SSL handshake process. For new machines (where bower command is ran for the first time), the issue seems not present

As a temporary work around, we commented out bower command from the CI/CD process(since we do not have new packages being added at the moment) and retained a copy of the bower_components folder in the server (this is not recommended approach, but had to do this to solve a deployment blocker).

Need to find a permanant fix next day!

[lucasDechenier]

Hello Guys, any solution for this?

I Had the same on CircleCI:

bower invalid-meta for:/root/project/watson2/bower.json bower invalid-meta The "name" is recommended to be lowercase, can contain digits, dots, dashes bower CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-media-queries failed: certificate has expired

Exited with code exit status 1 CircleCI received exit code 1

In my Steps I run:

steps:

• checkout
• run: npm install -g bower

[GabeGates]

Same issues here, setting strict-ssl to false has worked as a temp solution. Hope this is resolved soon.

[hoggworks]

I'm having the same issue in our Jenkins pipeline.

[SomeBdyElse]

I have the same issue in a CI pipeline. Its an oudated node and bower version

npm install -g bower@1.8.13
bower install MutationObserver-shim
# …
# bower                 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/MutationObserver-shim failed: certificate has expired

curl had the same issue:

curl https://registry.bower.io/packages/MutationObserver-shim
# curl: (60) SSL certificate problem: certificate has expired

I fixed the issue for curl by removing an invalid itermediary cert:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates

curl https://registry.bower.io/packages/MutationObserver-shim
# {"name":"MutationObserver-shim","url":"https://github.com/megawac/MutationObserver.js.git"}

But bower still has the same issue:

bower install MutationObserver-shim
# bower                 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/MutationObserver-shim failed: certificate has expired

Would it be possible that bower somehow uses a differnt ca-cert folder than curl?

[SomeBdyElse]

Would it be possible that bower somehow uses a differnt ca-cert folder than curl?

This seems to be true, but it is fixable:

export NODE_OPTIONS=--use-openssl-ca
bower install MutationObserver-shim

and it went just fine.

So for me the entire fix was:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates
export NODE_OPTIONS=--use-openssl-ca

[tbcshifter]

Same issue here with Heroku builds today.

[pain44444]

For us fix was only:

export NODE_OPTIONS=--use-openssl-ca

,cuz we use azure k8s builder

[mvrhov]

node 7.10.1 on Ubuntu 22.04.

None of bellow doesn't work.

Tried with: export NODE_OPTIONS=--use-openssl-ca then I added export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Then I tried NODE_OPTIONS=--use-openssl-ca bower install ... NODE_OPTIONS=--use-openssl-ca SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt bower install ...

Added "ca": "/etc/ssl/certs/ca-certificates.crt", to bower.json. Nothing.

[mattsputnikdigital]

node 7.10.1 on Ubuntu 22.04.

None of bellow doesn't work.

Tried with: export NODE_OPTIONS=--use-openssl-ca then I added export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Then I tried NODE_OPTIONS=--use-openssl-ca bower install ... NODE_OPTIONS=--use-openssl-ca SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt bower install ...

Added "ca": "/etc/ssl/certs/ca-certificates.crt", to bower.json. Nothing.

I think NODE_OPTIONS needs node 8+

[sheerun]

The certificate is fine, and it seems most of issues are related to using old version of Node, otherwise they can be solved by setting export NODE_OPTIONS=--use-openssl-ca. Bower's certificate renewal works fine.

But true solution is to stop using Bower as it is for a very long time deprecated software. If you want modern alternative with file locking (extremely important for security and long-term maintenance as there is no easy way to pin whole tree of dependencies for Bower, only top level ones), please follow this guide to migrate to Yarn. It's pretty simple as there is helper command:

https://bower.io/blog/2017/how-to-migrate-away-from-bower/

If bower-away doesn't work for you for some reason, please send pull request with fix :)

[mvrhov]

I think NODE_OPTIONS needs node 8+

You are right. I'll se how high I can go from prehistoric 7.2.1. And if there are problems then it seems that recompiling node itself is going to be the only option.

Migrating away and/or upgrading this is not an option for at least another 12 months.

[sheerun]

Other solutions you might try for now are:

• Put all dependencies in separate git repository somehow and clone them instead of running bower install
• You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

[amit-oli-khoros]

Other solutions you might try for now are:

• Put all dependencies in separate git repository somehow and clone them instead of running bower install
• You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

We cannot use any of the workarounds suggested here so far. May I know how long will it take for the "another solution" that you are working on to be out?

[saintmac]

So for me the entire fix was:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates
export NODE_OPTIONS=--use-openssl-ca

That fixed it for me, thanks ! (Docker node)

[mvrhov]

For now it seems that I could upgrade up to node 9.11.2. And with that NODE_OPTIONS work. Things build, QA is in progress. The rest will have to wait

[dodomood]

Same issue, running from GitHub actions on windows-latest, with node 8.12 (yeah, i know).

Halp pls

[mchrapek]

bower install works for newer versions of node.

Only bower install command I execute on the newer node (for example 12), and the rest of the commands for building the project I execute on the version I need.

It worked for us.

[amanneesharma]

Having the same issue. Tried some step as below:

1) Added "strict-ssl": false to bowerrc file. 2) Ran bower install. 3) Delete downloaded bower components. 4) Removed "strict-ssl": false from bowerrc file. 5) Ran bower install again.

Worked for me!!!

[amit-oli-khoros]

Other solutions you might try for now are:

• Put all dependencies in separate git repository somehow and clone them instead of running bower install
• You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

Hi @sheerun , Is there any update on the fix that you were working on?

[ujjwaldave]

Other solutions you might try for now are:

• Put all dependencies in separate git repository somehow and clone them instead of running bower install
• You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

Hi @sheerun , Is there any update on the fix that you were working on?

+1, is there any ETA on this fix.

[stormonster]

As I mentioned here, a temporary solution that solved the issue for us was to use the heroku-mirror rather than the regular registry.

Rather than turning off SSL we've set the registry parameter in the .bowerrc like this.

{
  "directory": "bower_components",
  "registry": "https://bower.herokuapp.com",
}

Not sure how permanent of a solution it is as I've seen it mentioned that certs for node versions <10 are discontinued now, but at least it worked for us and it sure beats turning off SSL.

[tfabris]

I'm trying to keep a legacy app building, one that uses old versions of node and bower. I can't at the moment upgrade either of them. These build on Windows build agent computers. Most of the solutions listed here are for linux build systems, so I can't do any of those.

We have a couple dozen ".bowerrc" files in the build, and adding some lines to those files is possible. I've seen two possible temporary solutions listed in this thread. Thanks very much to the folks who suggested them. The two choices open to me seem to be to either add this line:

"strict-ssl": false 

Or to add this line:

"registry": "https://bower.herokuapp.com"

Both seem risky. Can someone please help me understand which one is riskier? Keep in mind that I'm completely inexperienced in Bower, NPM, Ember, and the other technologies that this app is built with (I'm a C# guy normally). The first option, as I understand it, would make it possible for us to retrieve some of our modules from sites with expired SSL certificates, but at least we'd be getting those files from the same places as we did before. I've tried that one and it works as a temporary fix. The second, seems like we'd be changing the place where we get the files from, which to me sounds much riskier.

Does anyone have an opinion on this?

Thanks!

[mattsputnikdigital]

@tfabris how old is the Ember app? It shouldn't take too much work to remove Bower and get ember-auto-import working which was designed to replace it in v3 of Ember.

Other options include using Docker to build the app for deploy and setting the version of node to something like "FROM node:14-alpine as ember"

Using "strict-ssl": false is a working option, disables certs obviously but its probably the quickest option in the short term.

[tfabris]

@mattsputnikdigital thanks for that information. The ember app is years old and the people who knew how to maintain its build system are no longer with the company. Replacing the build system with a new one certainly "sounds" simple but keep in mind that I have no idea how it works, like, at all.

I'm also thinking that "strict-ssl": false seems like the better option, because I looked at the herokuapp.com cert and it expires next year anyway thus it would just kick the can down the road a bit.

[mattsputnikdigital]

@mattsputnikdigital thanks for that information. The ember app is years old and the people who knew how to maintain its build system are no longer with the company. Replacing the build system with a new one certainly "sounds" simple but keep in mind that I have no idea how it works, like, at all.

I'm also thinking that "strict-ssl": false seems like the better option, because I looked at the herokuapp.com cert and it expires next year anyway thus it would just kick the can down the road a bit.

Yes if you can accept the risk of the "strict-ssl": false then it would be fine. If you need help with Ember my company manages lots of older Ember sites and could probably get it working without Bower for you if you need assistance.

[tfabris]

@mattsputnikdigital Thanks so much for your help and advice. That's a kind offer to help us out. If we decide to go that route I'll ping you.

[azajkhan]

Still facing issues 14:14:32 bower oauth-js#0.4.8 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/oauth-js failed: certificate has expired

[azajkhan]

14:22:14 bower angular-recaptcha#4.2.0 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-recaptcha failed: certificate has expired

[mattsputnikdigital]

14:22:14 bower angular-recaptcha#4.2.0 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-recaptcha failed: certificate has expired

You need to either update node to a version which works, I believe over 10 or set "strict-ssl": false I do not think this is going to be fixed otherwise.

[GabeGates]

Same issues here, setting strict-ssl to false has worked as a temp solution. Hope this is resolved soon.

Our company was able to get passed this by upgrading to node 18

[hma1983]

Ran into the same problem, we are using node 8, can't upgrade to new version either at least for another year.

I used this silly workaround, switch to node 12 for bower install, then change back to node 8 for gulp build:

RUN npm install
RUN npm install n -g
RUN n 12.22.9
RUN bower --allow-root install
RUN n 8.15.1