self-signed certificate - Githubissues

mpetuska / npm-publish

Gradle plugin for NPM package publishing. Allows for arbitrary publishing as well as seamless integration with Kotlin JS/MPP plugins.

https://npm-publish.petuska.dev

Apache License 2.0

126 stars 10 forks source link

self-signed certificate #128

Closed albert361 closed 11 months ago

albert361 commented 1 year ago

Hi,

Thanks for developing this plugin! Is there a way to bypass self-signed certificate error?

npm notice Publishing to https://xxxxxxxxxxx/
npm ERR! code SELF_SIGNED_CERT_IN_CHAIN
npm ERR! errno SELF_SIGNED_CERT_IN_CHAIN
npm ERR! request to https://xxxxxxxxxxx/@my-org%2fmy-package failed, reason: self-signed certificate in certificate chain

mpetuska commented 1 year ago

I'm not sure. How's that normally handled with vanilla npm?

albert361 commented 1 year ago

Typically, we can use either:

npm config set strict-ssl false -> not good since it updates global .npmrc
npm config set cafile /path/to/cert.pem -> not good since it updates global .npmrc
NODE_TLS_REJECT_UNAUTHORIZED=0 npm publish .....
npm publish --strict-ssl false ..... IMO we should at least have ability to use either 3 or 4 to let user temporary disable strict-ssl check ONLY for publishing.
Regarding point 1 and 2, if update global .npmrc is Okay, then it should be configured already.

mpetuska commented 1 year ago

Gotcha. Opt 4 is definitely something I could add to the plugin, but for now I think you can use opt 3 by passing that env var to gradle

e.g. NODE_TLS_REJECT_UNAUTHORIZED=0 ./gradlew publish

mpetuska commented 1 year ago

@albert361 can you share where that --strict-ssl option is documented? There's no mention of it in npm publish cli command docs

mpetuska commented 11 months ago

@albert361 any comments or should I close this for now?

mpetuska commented 11 months ago

Closing tgis for now until someone can provide some npm documentation for this.