Open garroga opened 8 years ago
rick-li
commented
8 years ago Same here
`Yarn version: 0.16.1
Node version: 5.11.1
Platform: win32 x64
yarn manifest: No manifest
bower manifest: No manifest
Lockfile: No lockfile
Trace:
Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket.
I have set strict-ssl "false"
chlunde
commented
8 years ago Hi, make sure you're running yarn 0.16.0 or newer.
Then download the current certificate, and verify with you operations team that it is the correct one:
openssl x509 -in <(openssl s_client -connect www.google.com:443 -prexit 2>/dev/null)replace www.google.com:443 with the correct servername and port. You may also need to add -servername www.google.com. For those who get a different error: error unable to verify the first certificate, you should get the CA instead of server certificate in this step.
Next, decide if you (and the company you work for) want to be protected from man in the middle attacks. An MITM attack in the case could send you the wrong/malicious code and take your registry credentials. If you can accept this risk, you can just set strict-ssl to false. Please remember that while you might trust your day-to-day home/work network, you might not have the same trust on hotel/conference/airport networks.
_Linux setup_ On Fedora/RHEL/CentOS/Debian/Ubuntu I would add it to the OS trust store, and configure yarn to use the OS trust store. This will also make the registry trusted by your browser, and tools like curl/wget, openssl.
Fedora/RHEL/CentOS
Add the CA or self signed certificate to /etc/pki/ca-trust/source/anchors/.
Run sudo update-ca-trust extract. If you use nodejs provided by Red Hat, that's it!
If you have compiled nodejs yourself, or have downloaded nodejs from https://nodejs.org/, you need to configure yarn to use the OS trust store instead of the included static nodejs trust store:
yarn config set cafile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemDebian/Ubuntu
This is similar to the instructions for Red Hat Enterprise Linux:
/usr/local/share/ca-certificatessudo update-ca-certificatesyarn config set cafile /etc/ssl/certs/ca-certificates.crt_Alternative custom bundle setup (for example for macOS)_
If you also want to be able to this repository, and other repositories over https, and do not want to/can not update the OS trust store, you need to make a cafile containing your self signed certificate and a bundle of trusted certificate authorities like the one provided by Mozilla. The author of curl makes such a bundle available in the correct format as cacert.pem (more info).
$HOME/.cacert.pemyarn config set cafile $HOME/.cacert.pemrick-li
commented
8 years ago @chlunde Thanks for the detailed instruction I'm using yarn@0.16.1 Since it's trusted internal network, I'm ok with non ssl verification but I'm still getting "self signed certificate in certificate chain" with strict-ssl : “false”
chlunde
commented
8 years ago @rick-li Could you try the cafile alternative instead? I haven't tested strict-ssl myself, only cafile.
rick-li
commented
8 years ago @chlunde With cafile, I'm getting Error: unable to get local issuer certificate
tommck
commented
8 years ago I'm having the same problem with an artifactory repository. Would be really nice to be able to use yarn
Oh, and I'm on windows, so none of the examples of cafile stuff work for me :)
krtek
commented
7 years ago yarn config set strict-ssl false works for me with latest yarn.
anandkumarrb
commented
7 years ago guys, if you have any issue with self sign certificate with yarn install just configure below in .yarnrc file and run registry "url" cafile null strict-ssl false
it worked for me
Hi, I'm trying to use yarn with private artifactory repository. In our we have scope .npmrc
.yarnrc
after trying to add package like lodash or our one scoped package @scope/package I get
I was going fru issues that are documented and nothing helps right now. Any suggestions?
980 #892