[Question]: "playwright install" command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error

[amittendulkar]

"playwright install" command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error

I am using Windows 11 with Python 3.8.10

Here is the trace.

>playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:953:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

I found out that this error comes because my company has installed Zscaler on my laptop which is presenting its own certificate when browsed the Microsoft CDN website,

I imported the root and intermediate certificates to the cacert.pem file as mentioned in the below URL. https://community.zscaler.com/t/installing-tls-ssl-root-certificates-to-non-standard-environments/7261

Specifically I used the below commands,

> python -m certifi
D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc "c:\Users\amit_tendulkar\Downloads\Zscaler Root CA.crt" | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net).crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net) (t)_.crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\_.azureedge.net.crt'| ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem

Still I got the same errors.

Then I referred to https://playwright.dev/docs/browsers#install-behind-a-firewall-or-a-proxy to understand that I might need to set a proxy.

By logging in to ip.zscaler.net I got the following details,

When I set the proxy like this and tried installing the browsers, I got the below error,

> set HTTPS_PROXY=https://165.225.120.33
> playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 165.225.120.33 is not in the cert's list:
    at new NodeError (node:internal/errors:387:5)
    at Object.checkServerIdentity (node:tls:354:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1549:27)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:953:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
  reason: "IP: 165.225.120.33 is not in the cert's list: ",
  host: '165.225.120.33',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'California',
      L: 'San Jose',
      O: 'Zscaler, Inc.',
      CN: '*.zscalerthree.net'
    },
    issuer: [Object: null prototype] {
      C: 'US',
      O: 'DigiCert Inc',
      CN: 'DigiCert TLS RSA SHA256 2020 CA1'
    },
    subjectaltname: 'DNS:*.zscalerthree.net, DNS:gateway.zscalerthree.net, DNS:login.zscalerthree.net, DNS:zscalerthree.net',
    infoAccess: [Object: null prototype] {
      'OCSP - URI': [Array],
      'CA Issuers - URI': [Array]
    },
    modulus: 'C8A77BED7A0117DE5EEAA9EA76DC501D02C41BA1239CC55E5F98347321B9E1098EF62C39EF36DB8D0329BE227B81D2A10F7EA828F0ADD63391F722B49755683727D8C397BDE7C9EFB8C07336F44C683B0F2308CB4875A880614570A1D36816F3B5671C7F5CB869CE1CCE6D12C8B0E39324BDCA7BB79CB0276EDE384476A3360116D1B1650E8BBB829515F547C2E61CF0FD35051532A774962F219F326DB2A61F4C84060F9BF77F14AAAFEF0B741F47D49318886423EC091D2BB6E9197B1FECF18CBC209204E9B0D227A41B3773414C2A0EB96F5264EA976D30041C912B4EE350678BDFE478188FE8957B9937EBFAC76A7FC50CBE159E8AF62AE86F5DF22F2701',
    bits: 2048,
    exponent: '0x10001',
    pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c8 a7 7b ed 7a 01 17 de 5e ea a9 ea 76 dc 50 1d 02 ... 244 more bytes>,
    valid_from: 'May 10 00:00:00 2022 GMT',
    valid_to: 'Jun 10 23:59:59 2023 GMT',
    fingerprint: 'D5:59:B6:14:19:46:68:95:DF:C2:97:6D:D5:7C:D7:CF:F4:BE:C8:6C',
    fingerprint256: '9E:B3:88:55:74:88:C7:52:9D:39:FF:79:EF:D8:5B:57:F3:11:BB:ED:74:1D:EF:D5:9E:DC:21:00:94:20:7F:61',
    fingerprint512: '87:EF:B4:FD:1C:7E:06:DD:69:4D:B3:51:61:65:4E:84:85:E3:BF:44:9E:4C:AB:BC:20:EE:15:74:79:C3:4B:5D:50:26:F7:B0:98:21:2F:BA:9A:FC:5D:E8:85:7C:A0:D5:1E:95:33:80:48:29:ED:5E:DA:9E:CD:AB:DE:69:CF:59',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
    serialNumber: '0827612350F56C1E151398D61F719128',
    raw: <Buffer 30 82 06 f9 30 82 05 e1 a0 03 02 01 02 02 10 08 27 61 23 50 f5 6c 1e 15 13 98 d6 1f 71 91 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4f 31 0b ... 1739 more bytes>,
    issuerCertificate: {
      subject: [Object: null prototype],
      issuer: [Object: null prototype],
      infoAccess: [Object: null prototype],
      modulus: 'C14BB3654770BCDD4F58DBEC9CEDC366E51F311354AD4A66461F2C0AEC6407E52EDCDCB90A20EDDFE3C4D09E9AA97A1D8288E51156DB1E9F58C251E72C340D2ED292E156CBF1795FB3BB87CA25037B9A52416610604F571349F0E8376783DFE7D34B674C2251A6DF0E9910ED57517426E27DC7CA622E131B7F238825536FC13458008B84FFF8BEA75849227B96ADA2889B15BCA07CDFE951A8D5B0ED37E236B4824B62B5499AECC767D6E33EF5E3D6125E44F1BF71427D58840380B18101FAF9CA32BBB48E278727C52B74D4A8D697DEC364F9CACE53A256BC78178E490329AEFB494FA415B9CEF25C19576D6B79A72BA2272013B5D03D40D321300793EA99F5',
      bits: 2048,
      exponent: '0x10001',
      pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1 4b b3 65 47 70 bc dd 4f 58 db ec 9c ed c3 66 e5 ... 244 more bytes>,
      valid_from: 'Sep 24 00:00:00 2020 GMT',
      valid_to: 'Sep 23 23:59:59 2030 GMT',
      fingerprint: '69:38:FD:4D:98:BA:B0:3F:AA:DB:97:B3:43:96:83:1E:37:80:AE:A1',
      fingerprint256: '25:76:87:13:D3:B4:59:F9:38:2D:2A:59:4F:85:F3:47:09:FD:2A:89:30:73:15:42:A4:14:6F:FB:24:6B:EC:69',
      fingerprint512: '6A:6F:6D:A5:D4:7D:88:75:7F:16:85:37:23:19:8D:5A:D5:5F:4A:04:1E:1E:AA:52:00:AF:7F:10:54:80:0C:D4:A9:EA:73:4A:F8:76:3D:F1:20:9A:8C:E2:27:3D:C0:DB:BF:C7:66:73:1D:B5:11:7B:FC:66:D4:4D:B2:B7:00:9C',
      ext_key_usage: [Array],
      serialNumber: '0A3508D55C292B017DF8AD65C00FF7E4',
      raw: <Buffer 30 82 04 ea 30 82 03 d2 a0 03 02 01 02 02 10 0a 35 08 d5 5c 29 2b 01 7d f8 ad 65 c0 0f f7 e4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 61 31 0b ... 1212 more bytes>,
      issuerCertificate: [Object]
    }
  },
  code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}

Any pointers?

[amittendulkar]

Meanwhile I referred the earlier logged issues but couldn't find any resolution, https://github.com/microsoft/playwright/issues/5636 https://github.com/microsoft/playwright/issues/18293

[pavelfeldman]

Looks like your browser trusts the certificate, while your host system does not. That can happen since Chrome manages trusted CAs on its own. You should figure out why your OS (or Node.js running on it) does not trust the certificate.

[amittendulkar]

Thanks @pavelfeldman. I have installed Playwright on Python. In my case, it is MS Edge that is trusting the certificate.

I am using a Python virtual environment for playwright installation. The python -m certifi command has given me the certificate path it is using. I have appended the certificate chain under both venv certificate and the global certificate managed by Python.

Should I assume the playwright install command will use the above Python certificate path? Or still is it using Node.js managed certificate?

Where does Node.js manage its certificates?

[amittendulkar]

Looks like I got the solution. Indeed it is Node.js not finding the certificate. The below commands solved the issue,

C:\Users\amit_tendulkar>d:\venv\amazon\Scripts\activate

(amazon) C:\Users\amit_tendulkar>python -m certifi
D:\venv\amazon\lib\site-packages\certifi\cacert.pem

(amazon) C:\Users\amit_tendulkar>set NODE_EXTRA_CA_CERTS=D:\venv\amazon\lib\site-packages\certifi\cacert.pem

(amazon) C:\Users\amit_tendulkar>playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
109.5 Mb [====================] 100% 0.0s
Chromium 108.0.5359.29 (playwright build v1033) downloaded to C:\Users\amit_tendulkar\AppData\Local\ms-playwright\chromium-1033
Downloading FFMPEG playwright build v1008 from https://playwright.azureedge.net/builds/ffmpeg/1008/ffmpeg-win64.zip
1.4 Mb [====================] 100% 0.0s
FFMPEG playwright build v1008 downloaded to C:\Users\amit_tendulkar\AppData\Local\ms-playwright\ffmpeg-1008
Downloading Firefox 106.0 (playwright build v1364) from https://playwright.azureedge.net/builds/firefox/1364/firefox-win64.zip
78.3 Mb [====================] 100% 0.0s
Firefox 106.0 (playwright build v1364) downloaded to C:\Users\amit_tendulkar\AppData\Local\ms-playwright\firefox-1364
Downloading Webkit 16.4 (playwright build v1735) from https://playwright.azureedge.net/builds/webkit/1735/webkit-win64.zip
73.6 Mb [====================] 100% 0.0s
Webkit 16.4 (playwright build v1735) downloaded to C:\Users\amit_tendulkar\AppData\Local\ms-playwright\webkit-1735

Thanks to the below Q&A, https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs

[ResiakA]

Browsers are not getting installed for me as well. Same error encountered. Any resolution for this ?

[amittendulkar]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

  gc d:\root.crt | ac d:\cacert.pem
  gc d:\child1.crt | ac d:\cacert.pem
  gc d:\child2.crt | ac d:\cacert.pem
  ...
  gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

[ResiakA]

Website is not valid

[amittendulkar]

You can ignore the invalid page error and click on the certificate icon to export/download the entire certificate chain locally.

[ResiakA]

Sir, No certificate option is displayed it it directly opening this site

[amittendulkar]

@ResiakA, please click on the lock icon as indicated below.

Next, select "Connection is secure" menu item (this is Edge specific. You will see something similar in Chrome or Firefox)

Now click on the certificate icon,

You should see a certificate viewer as below. Click on the details tab,

Now select each certificate in the tree starting from root and click export to export those certificates (in your case the presented certificates will be different from the below screenshot),

Once exported, you will need to follow the instructions in my earlier comments to append those certificates in a single file and use it as an additional certificate store for the Node.js.

[ResiakA]

This surely looks helpful just a quick help Because i am new to this. How do we create a .PEM file sir ?

[amittendulkar]

This surely looks helpful just a quick help Because i am new to this. How do we create a .PEM file sir ?

The first command gc d:\root.crt | ac d:\cacert.pem should automatically create the PEM file if it doesn't exist.

[ResiakA]

Error occurred. Could you please help sir Files are stored at the location

[amittendulkar]

@ResiakA, have you stored the certificate files at d:\? What are their names and paths? Accordingly the file path against the gc command will change.

[ResiakA]

Kept them exactly as you explained sir... if it is okay i would like to get in touch for some guidance and help from you as i am a beginner. It would be a huge help for me. @9955366412 for the resolution please reach out sir. 🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻

[amittendulkar]

Please provide the output of the command, dir D:\*.crt. It should return the your stored files. If it doesn't, provide the output of dir D:\root*. I can't see the path inside D:\ in your image. Make sure they are in the root of D: and not under some sub-directory.

[SabFloki]

On top of above cacert.pem made ready, you need to do the below to make playwright to install browsers without errors. `npm config set strict-ssl=false

npm config set registry http://registry.npmjs.org/

npm config set cafile /path/to/your/cert.pem

set NODE_TLS_REJECT_UNAUTHORIZED=0`

Got to resolve this in VM with firewall protection. With Zscaler, if issues exists, please update policy in it and rerun the above.

[Mujtaba-git]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

Thank you. You are a true gem ♥ 👍🏼

[AkashdeepQA]

Hi @amittendulkar, Even after performing all the steps, I am getting below error: Downloading Chromium 117.0.5938.62 (playwright build v1080) from https://playwright.azureedge.net/builds/chromium/1080/chromium-win64.zip Error: connect ETIMEDOUT 192.0.2.1:443 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1495:16) { errno: -4039, code: 'ETIMEDOUT', syscall: 'connect', address: '192.0.2.1', port: 443 } Failed to install browsers Error: Failed to download Chromium 117.0.5938.62 (playwright build v1080), caused by Error: Download failure, code=1 at ChildProcess.<anonymous> (C:\Learning\Playwright\PlaywrightTrial\node_modules\playwright-core\lib\server\registry\browserFetcher.js:91:16) at ChildProcess.emit (node:events:514:28) at ChildProcess._handle.onexit (node:internal/child_process:291:12)

I tried increasing the PLAYWRIGHT_DOWNLOAD_CONNECTION_TIMEOUT to 5 minutes. Still no luck. Can you or someone else please help me in fixing this.

Thanks in advance!

[amittendulkar]

I suggest creating a new question for the above and give a reference to the current question as the error is different.

[agray]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

[amittendulkar]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

Did you follow these instructions? https://github.com/microsoft/playwright/issues/19622#issuecomment-1364102545

You will need to click on each certificate in the chain and click export.

[agray]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

Did you follow these instructions? #19622 (comment)

You will need to click on each certificate in the chain and click export.

Extras certs were ignored for some reason:

[amittendulkar]

@agray, please set $env:NODE_EXTRA_CA_CERTS to the absolute path of the pem file instead of just the filename.

I see that you are changing directory and then trying the install. Hence is it not finding the pem file.

[anshuman-bhatia]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

At 2:51 AM, this finally worked for me. Thanks for saving me !

[VasanthVJ]

Hi, I am currently similar issue in downloading the browsers and trying to download the certificates but I could only download certificate named "Cisco Umbrella Root CA".

[millenial94]

Hi @amittendulkar, I did exactly as you directed and yet I'm still getting the error

[millenial94]

On top of above cacert.pem made ready, you need to do the below to make playwright to install browsers without errors. `npm config set strict-ssl=false

npm config set registry http://registry.npmjs.org/

npm config set cafile /path/to/your/cert.pem

set NODE_TLS_REJECT_UNAUTHORIZED=0`

Got to resolve this in VM with firewall protection. With Zscaler, if issues exists, please update policy in it and rerun the above.

Would this be safe to execute on a company laptop? @SabFloki

Would you endorse this steps? @amittendulkar

[amittendulkar]

Hi @amittendulkar, I did exactly as you directed and yet I'm still getting the error

The error clearly says that the file D:\cacert.pem doesn't exist. Have you created the file as per the instructions?

[millenial94]

Hi @amittendulkar, I did exactly as you directed and yet I'm still getting the error

The error clearly says that the file D:\cacert.pem doesn't exist. Have you created the file as per the instructions?

I created the file as per instructions. Here is the screenshot

But since I was stuck there long and couldn't find a way out hence I executed these steps so I asked if it'd be safe to execute them on company laptop?

[amittendulkar]

I see you are trying to make this work for Playwright with Javascript. While I had used the Playwright with Python. I am not sure whether additional steps are required for the npm init to work.

Can you try the instructions for Playwright with Python (playwright install command)?

[millenial94]

I did try that. It still failed. Hence I tried these steps and it worked. But I was concerned that these following steps would not cause any issue on company laptop.

On top of above cacert.pem made ready, you need to do the below to make playwright to install browsers without errors. `npm config set strict-ssl=false

npm config set registry http://registry.npmjs.org/

npm config set cafile /path/to/your/cert.pem

set NODE_TLS_REJECT_UNAUTHORIZED=0`

Got to resolve this in VM with firewall protection. With Zscaler, if issues exists, please update policy in it and rerun the above.

[Chetu1993]

@ResiakA, have you stored the certificate files at d:? What are their names and paths? Accordingly the file path against the gc command will change.

hello

[Chetu1993]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

[Chetu1993]

@amittendulkar,

hello while installing the playwright iam getting the errors for downloading the browsers, so please anyone help me for this,

Downloading Chromium 125.0.6422.26 (playwright build v1117) from https://playwright-akamai.azureedge.net/builds/chromium/1117/chromium-win64.zip Error: unable to verify the first certificate at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1085:8) at ssl.onhandshakedone (node:_tls_wrap:871:12) { code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'

iam getting this error, kindly help me for solve this issue

[amittendulkar]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

You need to download each certificate in the certificate chain manually and import into the pem file.

[Chetu1993]

You need to do the following,

• Visit https://playwright.azureedge.net and download the complete certificate chain
• Let's assume your certificates are stored as root.crt, child1.crt, child2.crt, ... , childN.crt etc. at D:\
• Now create an empty file say D:\cacert.pem and execute the below commands in Powershell,

gc d:\root.crt | ac d:\cacert.pem
gc d:\child1.crt | ac d:\cacert.pem
gc d:\child2.crt | ac d:\cacert.pem
...
gc d:\childN.crt | ac d:\cacert.pem

• Now set the NODE_EXTRA_CA_CERTS variable as set NODE_EXTRA_CA_CERTS=D:\caert.pem on command line (or $env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem' in Powershell).
• Now your playwright install command should work properly.

How do you download the "complete certificate chain"? Export... button only exports 1 crt file.

You need to download each certificate in the certificate chain manually and import into the pem file.

@amittendulkar hello amit i have downloded the certificate and i have only C drive and i dont have any other drives so i created a folder in C drive and because it is not allowing me to create directly pem file so i created a folder and then created a cacert.pem file and i went to path then powershell and ran your command but iam getting error and also i tried in normal mode and administrator mode but getting an error of commandNotFound exception and powershell not allowed me to take screenshot otherwise i would have sent it, so better you can communicate with me on my whatsapp 8088261941 so that we can solve this issue more quickly, thanks

[AR-George]

to be honest, I just end up running set NODE_TLS_REJECT_UNAUTHORIZED=0

[Paulczak]

Hi Amittendulkar and others, I created cacert.pem as described, but still get the exact same error when trying to install playwright. I only get one cert at https://playwright.azureedge.net/. The cert is from Digital Guardian as shown in below screen shots. I tried the set NODE_TLS_REJECT_UNAUTHORIZED=0 suggestion from AR-George, but that also gave the same playwright install error. The npm commands in millenial94 suggestions were not recognized. Any help anyone could offer would be greatly appreciated. Thanks.

[amittendulkar]

Hi Amittendulkar and others, I created cacert.pem as described, but still get the exact same error when trying to install playwright. I only get one cert at https://playwright.azureedge.net/. The cert is from Digital Guardian as shown in below screen shots. I tried the set NODE_TLS_REJECT_UNAUTHORIZED=0 suggestion from AR-George, but that also gave the same playwright install error. The npm commands in millenial94 suggestions were not recognized. Any help anyone could offer would be greatly appreciated. Thanks.

You should see the certificate chain in the "details" tab of the screenshot you have posted (you have given the screenshot of the "General" tab). Download and import each certificate in the chain.

[Paulczak]

There is no chain in the details. It is just the one cert from Digital Guardian.

[Paulczak]

I installed node and tried the npm commands from millenial94 and still got the same error.

[Paulczak]

I tried installing Chromium 126.0.6478.62 using Chocolatey v2.3.0, but this did not work for playwright.

[Paulczak]

I tried installing the certificate, but still same error. There are a dozen certificate stores so do not know which one would work if at all.

[Paulczak]

This is what the cacert.pem file looks like:

[amittendulkar]

There is no chain in the details. It is just the one cert from Digital Guardian.

Click each node in the certificate hierarchy and then export. I think you have 2 certificates in the chain (first one being "Digital Guardian, Inc.").

[Paulczak]

I created another cacert.pem file with two certificates in it, but still get the same error:

The cacert.pem file looks like this now:

File in D: drive

[Paulczak]

I do not know what else to try with the certificate. Is there a way to bypass the certificate or manually install the https://playwright.azureedge.net/builds/chromium/1117/chromium-win64.zip file? Thanks for all your help on this issue Amit.

[amittendulkar]

I suggest not to create a blank cacert.pem file in D:. Append your downloaded certificates to an existing certificate pem file referred by Python. In my case,

> python -m certifi
D:\venv\amazon\lib\site-packages\certifi\cacert.pem

So I appended the downloaded certificates to the above file.

gc d:\root.crt | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
gc d:\child1.crt | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
gc d:\child2.crt | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
...
gc d:\childN.crt | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem

Now set Node.js to find the above file,

$env:NODE_EXTRA_CA_CERTS='D:\venv\amazon\lib\site-packages\certifi\cacert.pem'

Now the playwright install should work (at least I don't have any more tips than above as I am not actively using playwright at the moment).

Also refer to https://github.com/microsoft/playwright/issues/19622#issuecomment-1435517631

The above instructions might help you.

[Paulczak]

I added the certifi module with pip install certifi and set the path to the cacert.pem file it created:

I appendeded the two Digital Guardian certs to the new cacert.pem file, but still got the same error:

I tried running the npm commands in the #19622 comment, but still got the same error: