[Question]: "playwright install" command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error

[amittendulkar]

"playwright install" command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error

I am using Windows 11 with Python 3.8.10

Here is the trace.

>playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:953:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

I found out that this error comes because my company has installed Zscaler on my laptop which is presenting its own certificate when browsed the Microsoft CDN website,

I imported the root and intermediate certificates to the cacert.pem file as mentioned in the below URL. https://community.zscaler.com/t/installing-tls-ssl-root-certificates-to-non-standard-environments/7261

Specifically I used the below commands,

> python -m certifi
D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc "c:\Users\amit_tendulkar\Downloads\Zscaler Root CA.crt" | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net).crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net) (t)_.crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\_.azureedge.net.crt'| ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem

Still I got the same errors.

Then I referred to https://playwright.dev/docs/browsers#install-behind-a-firewall-or-a-proxy to understand that I might need to set a proxy.

By logging in to ip.zscaler.net I got the following details,

When I set the proxy like this and tried installing the browsers, I got the below error,

> set HTTPS_PROXY=https://165.225.120.33
> playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 165.225.120.33 is not in the cert's list:
    at new NodeError (node:internal/errors:387:5)
    at Object.checkServerIdentity (node:tls:354:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1549:27)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:953:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
  reason: "IP: 165.225.120.33 is not in the cert's list: ",
  host: '165.225.120.33',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'California',
      L: 'San Jose',
      O: 'Zscaler, Inc.',
      CN: '*.zscalerthree.net'
    },
    issuer: [Object: null prototype] {
      C: 'US',
      O: 'DigiCert Inc',
      CN: 'DigiCert TLS RSA SHA256 2020 CA1'
    },
    subjectaltname: 'DNS:*.zscalerthree.net, DNS:gateway.zscalerthree.net, DNS:login.zscalerthree.net, DNS:zscalerthree.net',
    infoAccess: [Object: null prototype] {
      'OCSP - URI': [Array],
      'CA Issuers - URI': [Array]
    },
    modulus: 'C8A77BED7A0117DE5EEAA9EA76DC501D02C41BA1239CC55E5F98347321B9E1098EF62C39EF36DB8D0329BE227B81D2A10F7EA828F0ADD63391F722B49755683727D8C397BDE7C9EFB8C07336F44C683B0F2308CB4875A880614570A1D36816F3B5671C7F5CB869CE1CCE6D12C8B0E39324BDCA7BB79CB0276EDE384476A3360116D1B1650E8BBB829515F547C2E61CF0FD35051532A774962F219F326DB2A61F4C84060F9BF77F14AAAFEF0B741F47D49318886423EC091D2BB6E9197B1FECF18CBC209204E9B0D227A41B3773414C2A0EB96F5264EA976D30041C912B4EE350678BDFE478188FE8957B9937EBFAC76A7FC50CBE159E8AF62AE86F5DF22F2701',
    bits: 2048,
    exponent: '0x10001',
    pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c8 a7 7b ed 7a 01 17 de 5e ea a9 ea 76 dc 50 1d 02 ... 244 more bytes>,
    valid_from: 'May 10 00:00:00 2022 GMT',
    valid_to: 'Jun 10 23:59:59 2023 GMT',
    fingerprint: 'D5:59:B6:14:19:46:68:95:DF:C2:97:6D:D5:7C:D7:CF:F4:BE:C8:6C',
    fingerprint256: '9E:B3:88:55:74:88:C7:52:9D:39:FF:79:EF:D8:5B:57:F3:11:BB:ED:74:1D:EF:D5:9E:DC:21:00:94:20:7F:61',
    fingerprint512: '87:EF:B4:FD:1C:7E:06:DD:69:4D:B3:51:61:65:4E:84:85:E3:BF:44:9E:4C:AB:BC:20:EE:15:74:79:C3:4B:5D:50:26:F7:B0:98:21:2F:BA:9A:FC:5D:E8:85:7C:A0:D5:1E:95:33:80:48:29:ED:5E:DA:9E:CD:AB:DE:69:CF:59',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
    serialNumber: '0827612350F56C1E151398D61F719128',
    raw: <Buffer 30 82 06 f9 30 82 05 e1 a0 03 02 01 02 02 10 08 27 61 23 50 f5 6c 1e 15 13 98 d6 1f 71 91 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4f 31 0b ... 1739 more bytes>,
    issuerCertificate: {
      subject: [Object: null prototype],
      issuer: [Object: null prototype],
      infoAccess: [Object: null prototype],
      modulus: 'C14BB3654770BCDD4F58DBEC9CEDC366E51F311354AD4A66461F2C0AEC6407E52EDCDCB90A20EDDFE3C4D09E9AA97A1D8288E51156DB1E9F58C251E72C340D2ED292E156CBF1795FB3BB87CA25037B9A52416610604F571349F0E8376783DFE7D34B674C2251A6DF0E9910ED57517426E27DC7CA622E131B7F238825536FC13458008B84FFF8BEA75849227B96ADA2889B15BCA07CDFE951A8D5B0ED37E236B4824B62B5499AECC767D6E33EF5E3D6125E44F1BF71427D58840380B18101FAF9CA32BBB48E278727C52B74D4A8D697DEC364F9CACE53A256BC78178E490329AEFB494FA415B9CEF25C19576D6B79A72BA2272013B5D03D40D321300793EA99F5',
      bits: 2048,
      exponent: '0x10001',
      pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1 4b b3 65 47 70 bc dd 4f 58 db ec 9c ed c3 66 e5 ... 244 more bytes>,
      valid_from: 'Sep 24 00:00:00 2020 GMT',
      valid_to: 'Sep 23 23:59:59 2030 GMT',
      fingerprint: '69:38:FD:4D:98:BA:B0:3F:AA:DB:97:B3:43:96:83:1E:37:80:AE:A1',
      fingerprint256: '25:76:87:13:D3:B4:59:F9:38:2D:2A:59:4F:85:F3:47:09:FD:2A:89:30:73:15:42:A4:14:6F:FB:24:6B:EC:69',
      fingerprint512: '6A:6F:6D:A5:D4:7D:88:75:7F:16:85:37:23:19:8D:5A:D5:5F:4A:04:1E:1E:AA:52:00:AF:7F:10:54:80:0C:D4:A9:EA:73:4A:F8:76:3D:F1:20:9A:8C:E2:27:3D:C0:DB:BF:C7:66:73:1D:B5:11:7B:FC:66:D4:4D:B2:B7:00:9C',
      ext_key_usage: [Array],
      serialNumber: '0A3508D55C292B017DF8AD65C00FF7E4',
      raw: <Buffer 30 82 04 ea 30 82 03 d2 a0 03 02 01 02 02 10 0a 35 08 d5 5c 29 2b 01 7d f8 ad 65 c0 0f f7 e4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 61 31 0b ... 1212 more bytes>,
      issuerCertificate: [Object]
    }
  },
  code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}

Any pointers?

[Paulczak]

I also installed the certs in the Trusted Root Certification Authorities store, but still got the same error. I greatly appreciate all your tips and help on this issue even though it did not work for me, but I have some good news on manually installing the browser...

At some point I tried running playwright codegen to see if it worked, and saw the path where it expected to find chrome.exe in the error message:

I downloaded the zip file from the certificate error and saw it contained the chrome-win folder, which was in the path for the playwright codegen command:

I was just missing the chromium-1117 folder, so I created it and pasted the chrome-win folder from the zip file into it. When I ran playwright codegen it worked! I do not know if this will create other issues down the road, but it gets me going for now. I hope this helps others who could not fix the certificate error in any other way.

[abhijitgithub2019]

The solution is only for Python, because when I tried to run gc d:\root.crt | ac d:\cacert.pem, it was throwing gc not found error. I am looking for a solution in js env.