search

the-last-byte / ESET-NPM-Breakage-Fix

Fix for NPM certs being broken by a corporate/security product firewall on Windows 10
9 stars 1 forks source link

Readme improvement #1

Open nagyszabi opened 2 months ago

nagyszabi commented 2 months ago

Hello there!

I really appreciate the fix you provided, it worked great (also worked on win 11)!

But since I don't use openssl that often, I would suggest some very minor improvements:

-pkcs7 -print_certs -in exported.p7b -out converted.cer
+openssl pkcs7 -in exported.p7b -out converted.cer

Also, I would add another note, that if someone (like I did) encounters the following error when converting:

unable to load PKCS7 object
34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: PKCS7

They should add -inform der to specify the format. Source for the fix

One more thing, would be to specify that the /m parameter in the last command is for adding the env var to HKEY_LOCAL_MACHINE, jus for transparency. This action also needs admin privileges.

nagyszabi commented 2 months ago

Small update. It worked on one project, but it did not in one using Angular.

It gives the following error:

npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! errno UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm ERR! request to https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-5.3.4.tgz failed, reason: unable to verify the first certificate

But the other fix from the forum did not work on this project as well:

npm --use-openssl-ca i

I've tried restarting my editor and Windows as well, but it did not have any effect.

ferdiusa commented 2 months ago

For me to get this to work, i actually had to specify the output format (PEM) as well. Otherwise the .cer-file would still contain an PKCS7 format certificate:

openssl pkcs7 -inform DER -in exported.p7b -outform PEM -out converted.cer

Thank you both for saving the rest of my sunday stolen by eset.

nagyszabi commented 2 months ago

That's it, I needed -outform PEM as well!

Now both of the projects work, thank you!

kobe-ra commented 2 months ago

I was so happy when I saw this fix but it still didn't help me 😢 .

Do you guys also have private git repo as a dependency? Like this example:

"ratrakcn-ui": "https://github.com/kobe-ra/ratrakcn-ui.git",
"svelte-sonner": "^0.3.17",

If I remove the private repo it works, but not with it.

rstefko commented 2 months ago

openssl pkcs7 -inform DER -in exported.p7b -outform PEM -out converted.cer

I had to add -print_certs from the original command, so the whole command looked like:

openssl pkcs7 -print_certs -inform DER -in exported.p7b -outform PEM -out converted.cer

rstefko commented 2 months ago

As the ESET SSL Filter CA certificate is unique for each device a Powershell script might be handy:

$cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where { $_.Subject -like "*CN=ESET SSL Filter CA" }
Export-Certificate -Cert $cert -FilePath C:\Temp\ESET-SSL-Filter-CA.cer
&certutil -f -encode C:\Temp\ESET-SSL-Filter-CA.cer C:\Temp\ESET-SSL-Filter-CA.pem
the-last-byte commented 2 months ago

Thank you @nagyszabi, @ferdiusa, and @rstefko! I've updated the readme with your feedback!

mimiemr commented 2 months ago

For people that are looking for the complete PowerShell script please see below. This would be helpful if you have an endpoint management solution and you want to deploy the fix automatically on all your assets affected.

Variables

$FolderPath= "C:\temp\certs" $cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where { $_.Subject -like "*CN=ESET SSL Filter CA" }

Check if Folder exists

If(!(Test-Path -Path $FolderPath)) {

powershell create directory

New-Item -ItemType Directory -Path $FolderPath

}

Export ESET certificate as .cer and convert it to .pem format

Export-Certificate -Cert $cert -FilePath $FolderPath\ESET-SSL-Filter-CA.cer certutil -f -encode $FolderPath\ESET-SSL-Filter-CA.cer $FolderPath\ESET-SSL-Filter-CA.pem

Create System Variable