error unable to get local issuer certificate

[kevincaradant]

Hi

Do you want to request a feature or report a bug? Bug

If the current behavior is a bug, please provide the steps to reproduce.

λ yarn config set strict-ssl false
yarn config v0.15.1
success Set "strict-ssl" to "false".
Done in 0.06s.

yarn install

error unable to get local issuer certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:584:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)
info Visit http://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is the expected behavior? I want to install my dependencies. Am I missing something (maybe) ? Thanks

Please mention your node.js, yarn and operating system version.

NodeJS: V6.7 yarn: v0.15.1 OS: Windows 7

[hallatore]

I have the same issue because we are behind a proxy that adds self-signed ssl.

[vbfox]

The same issue happens when strict-ssl is enabled but CAs are manually specified in .npmrc. Yarn seem to ignore all SSL configuration (Or required a different one but I couldn't find it in config)

ca[]="-----BEGIN CERTIFICATE-----\n..."

[aurokin]

Having the same issue here at work!

[YosefLm]

having the same issue, (i am using self-certificate.)

[zwik]

Same issue, also setting the registry to a non-ssl variant or the original non-ssl registry.npmjs.org doesn't help.

[chronicIntrovert]

Behind a corporate proxy so running into this issue as well.

[roby2001]

I'm having the same exact error behind a corporate proxy :) . Can't wait for a fix :)

[stonefishy]

I have same issue, the network is behind proxy, set strict-ssl to false and also config registry as non-ssl, still not work. Better to fix it as soon as possible. Can't wait it.

[mikebranski]

I believe @TAGraves is working on this in #1025. I really want to see it land! 👍

[chlunde]

PR #736 will add support for cafile, which is another way to solve this issue, and unlike disabling strict-ssl, you will not be vulnerable to MITM attacks.

[sebmck]

We've merged support for cafile and strict-ssl so this issue should be resolved.

[elliotwesoff]

I'm still having this issue with yarn v0.21.3

Update: Also on nightly build 0.22.0-20170303.1013

[jeffbski]

I found that if I duplicated the strict-ssl and other config from .npmrc into .yarnrc then things started working (or use yarn config set to add each part). I'm not sure why it didn't pick it up from .npmrc.

[sylvesteraswin]

I had the same issue under the same circumstances but I ran this command yarn config set strict-ssl false and it worked.

[jeffbski]

Yes, that's what worked for me as well.

[darul75]

@sylvesteraswin did the same and it worked, thx 👍

[damiandennis]

all broken in 0.23.1, setting registry to http and strict-ssl to false worked but now it does not. I have issues also with the certificate being intercepted and is why I need http.

[JesterXL]

I tried yarn config set strict-ssl false, but now am getting "404 Not Found". Mac Sierra, Node 8.1.2, yarn 0.27.5.

[UdaySravanK]

@JesterXL It worked for me. Using same version v0.27.5

[ao]

yarn config set strict-ssl false worked for me!

[afrazahmad21]

npm config set strict-ssl

worked for me

[BYK]

Just making sure people don't blindly copy paste code here: DO NOT DISABLE STRICT SSL CHECKS.

Okay now that I have your attention, if you know what exactly you are doing and what risks you are taking on with this, you may. Otherwise, just don't.

[snood1205]

Is there a solution that doesn't involve exposing yourself to the dangers of using HTTP? I'd really like to be able to fix this without having to disable strict SSL.

[damiandennis]

Well it would be great to use STRICT SSL but the problem is the companies that swap out the certificates, they are actually making it hard not to use http just so they can spy on our traffic to make sure we are not doing something bad. Basically they trust the general public more than their employees. However there is an alternative, you need to get a copy of the certificate the company is swapping and set the cafile to the path of the certificate. This is not as simple a process as it should be but it does work and is safe. If its not working for you, then you need to upgraded your yarn version...

[snood1205]

@damiandennis My company just implemented a new cert, so I registered it with my computer and it's been fine for pretty much everything other than yarn oddly enough. I'm on 1.1.0

[brandonsturgeon]

@snood1205 Same situation. Everything else works fine except for yarn and pip

[BYK]

I think this is due to how the request library we rely on is architected:

strictSSL - if true, requires SSL certificates be valid. Note: to use your own certificate authority, you need to specify an agent that was created with that CA as an option.

[BYK]

So you should be able to explicitly whitelist your company certificate by setting the following config values in your .yarnrc:

• ca
• cafile
• cert
• key

[brandonsturgeon]

@BYK This is a simple question, forgive me.

What's the format for setting these values? ca=~/Code/certs/mycert.crt ?

Also, there's a large disclaimer at the top of .yarnrc telling me not to modify it. do I have your permission to change it anyway? 😀

[Veske]

@ao Enjoy your non deterministic downloads!

[shabeermothi]

yarn config set strict-ssl false worked for me. Thanks @sylvesteraswin

[Veske]

@vrajpoot That is great! But please do not post it here as it might trick other incautious people to also turn off basic security and potentially download malware on their computers.

It it completely fine to like malware and on purpose infect your computer with it.... but it should stay as a research topic or a hobby thing not an actual thing that one would do on their work machine.

[Kielan]

@brandonsturgeon has brought up very valid points that should be addressed and the maintainers of yarn should respond. He's not the only one wondering.

https://github.com/yarnpkg/yarn/issues/6578

[beejei]

Interesting, everyone saying "do not disable strict-ssl". But no one ever succeeds.

[devashu9]

yarn config set strict-ssl false worked for me. Thanks

[sandipt27]

I got this error when I tried to install jquery package. Upon tons of re-search finally found that Neither should one set the strict-ssl to false nor should edit the .yarnrc file. Clean and ideal approach for this is - $ yarn config set cafile "/physical/path/to/certificate-file.pem" and that's it. I was successfully able to install jquery without turning off SSL after firing this command.

One can always check the configuration with yarn before and after above command yarn config list and ensure if the change we made above has taken place or not, which generally it does. :)

[FranklinYu]

@sandipt27 I'm sorry that it took you so long to find the right way. You didn't find them probably because:

1. The yarnrc documentation didn't mention this secret configuration parameter at all. The convention of "undocumented feature is experimental" doesn't seem to hold for Yarn.
2. Even the NPM documentation is too brief to be useful. For example, it didn't specify what kind of expansion is done, which is probably platform dependent. Again, people have been using undocumented features for long.
3. Actually cafile has been mentioned several times in this issue, but more people are simply spamming "hey disable SSL works for me" without thinking about security because they want their job quickly done. Who needs SSL anyway?

You probably can't fix 3, and 2 is in another scope, but maybe someone can come out and fix 1. If you come up with a Pull Request and want a second pair of eye I can probably help (I do have some general knowledge about cryptography), although I'm not able to approve it since I'm not a maintainer.

[beejei]

https://github.com/yarnpkg/yarn/issues/841#issuecomment-559037850 It doesn't work for me.

I set up a private repository(Verdaccio) with local issuer certificate And made the same setting with a chained certificate file. But Yarn has failed to download the packages.

It worked in NPM without any issue.

[sandipt27]

@sandipt27 I'm sorry that it took you so long to find the right way. You didn't find them probably because:

1. The yarnrc documentation didn't mention this secret configuration parameter at all. The convention of "undocumented feature is experimental" doesn't seem to hold for Yarn.
2. Even the NPM documentation is too brief to be useful. For example, it didn't specify what kind of expansion is done, which is probably platform dependent. Again, people have been using undocumented features for long.
3. Actually cafile has been mentioned several times in this issue, but more people are simply spamming "hey disable SSL works for me" without thinking about security because they want their job quickly done. Who needs SSL anyway?

You probably can't fix 3, and 2 is in another scope, but maybe someone can come out and fix 1. If you come up with a Pull Request and want a second pair of eye I can probably help (I do have some general knowledge about cryptography), although I'm not able to approve it since I'm not a maintainer.

Will surely let you know for your needed help once I move towards Pull Request to fix it. :)

[michaeloryl]

I'm seeing the same thing as well sitting behind a Nexus proxy group. The CA file setting is set with both NPM and Yarn at this point, but I still get the error.

➜ yarn config list
yarn config v1.21.1
info yarn config
{
  'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-commit-hooks': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'bin-links': true,
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/1.21.1 npm/? node/v12.14.1 darwin x64',
  cafile: '/Users/XXXXXXX/pml_root_ca.pem',
  email: 'XXXXXXXXXXXXXXX',
  username: 'XXXXXXX'
}
info npm config
{
  '//registry.npmjs.org/:_authToken': XXXXXXXXXXXXXXXXXXXXX',
  cafile: '/Users/XXXXXXX/pml_root_ca.pem',
  registry: 'https://XXXXXXXXXXXXXXXXX/repository/npmjs/',
  '//nexus.pennmutual.com/repository/pml-npmjs/:_authToken': 'XXXXXXXXXXXXXXXXX',
  python: '/usr/bin/python'
}
✨  Done in 0.04s.

cdir-ui on  feature/build_api is 📦 v0.1.0 via ⬢ v12.14.1 
➜ yarn install
yarn install v1.21.1
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
[3/5] 🚚  Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/dotenv/-/dotenv-8.2.0.tgz: unable to get local issuer certificate".
info If you think this is a bug, please open a bug report with the information provided in "/Users/XXXXXXX/Projects/cdir-ui/yarn-error.log
cdir-ui on  feature/build_api is 📦 v0.1.0 via ⬢ v12.14.1 

[cben]

IIUC, once you set ca or cafile in any way, yarn provides a TLS config to Node, replacing any trust Node would set itself. Instead, to be able to use both system's CA trust store (#6578) AND an extra CA, make sure yarn config list shows no ca / cafile configured, and try setting these env vars:

# Depends how Node was compiled, already default on many Linuxes but can't hurt:
export NODE_OPTIONS=--use-openssl-ca

export NODE_EXTRA_CA_CERTS=/path/to/file.crt

[wald-tq]

This issue ranks pretty high in Google search. The amount of comments that tell you to disable SSL certificate verification is disturbing. Can we please make the web a safer place and cleanup the comments? We can leave one comment mentioning to disable SSL verification along with a reasonable warning.

The NODE_EXTRA_CA_CERTS as mentioned by @cben works for me and is IMHO the cleanest setting.

[adjenks]

NODE_EXTRA_CA_CERTS seems to work if you provide the whole chain as a CA. Is there a way to set the verification depth of the chain? If I provide a root CA and there is an intermediate, it does not work. It seems to only validate what's immediately in the CA store and will not walk up the chain to validate.

[wald-tq]

@adjenks thats the idea of a certificate chain. If you don't provide the whole chain, you can't verify the correctness.

[adjenks]

Ah okay, thank you @wald-tq . Some clients, Chrome for example, will use the Authority Information Access (AIA) certificate extension, which contains information about how to get the issuer of this certificate, to fetch the certificate of the issuer automatically. I suppose it doesn't get used here.

[stephenpatten]

Hello @BYK @cben @wald-tq ,

I hate to pile onto a thread this deep, please accept my apology. Given this docker file which is a modified "Getting Started Walkthrough" from docker desktop:

FROM node:12-alpine RUN apk update && apk add --no-cache python g++ make && rm -rf /var/cache/apk/* COPY ./zscalerrootca.crt /usr/local/share/ca-certificates/zscalerrootca.crt WORKDIR /app COPY . . RUN export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/zscalerrootca.crt RUN yarn install --production --verbose CMD ["node", "src/index.js"]

Results:

[7/7] RUN yarn install --production --verbose:

12 0.500 yarn install v1.22.5

12 0.515 verbose 0.1059254 Checking for configuration file "/app/.npmrc".

12 0.516 verbose 0.1063001 Checking for configuration file "/usr/local/share/.npmrc".

12 0.516 verbose 0.1066349 Checking for configuration file "/usr/local/etc/npmrc".

12 0.516 verbose 0.107022 Checking for configuration file "/root/.npmrc".

12 0.517 verbose 0.1073464 Checking for configuration file "/app/.npmrc".

12 0.518 verbose 0.1083168 Checking for configuration file "/app/.yarnrc".

12 0.518 verbose 0.1086306 Checking for configuration file "/usr/local/share/.yarnrc".

12 0.518 verbose 0.1088907 Checking for configuration file "/usr/local/etc/yarnrc".

12 0.519 verbose 0.1093044 Checking for configuration file "/root/.yarnrc".

12 0.519 verbose 0.1095451 Checking for configuration file "/app/.yarnrc".

12 0.524 verbose 0.1147057 current time: 2021-07-13T13:55:35.694Z

12 0.560 [1/4] Resolving packages...

12 0.766 [2/4] Fetching packages...

12 0.800 verbose 0.3909134 Performing "GET" request to "https://registry.yarnpkg.com/bytes/-/bytes-3.1.0.tgz".

12 0.818 verbose 0.4090453 Performing "GET" request to "https://registry.yarnpkg.com/body-parser/-/body-parser-1.19.0.tgz".

12 0.821 verbose 0.4115124 Performing "GET" request to "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz".

12 0.823 verbose 0.4138139 Performing "GET" request to "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz".

12 0.827 verbose 0.4176404 Performing "GET" request to "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz".

12 0.829 verbose 0.4196913 Performing "GET" request to "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.24.tgz".

12 0.831 verbose 0.4214504 Performing "GET" request to "https://registry.yarnpkg.com/http-errors/-/http-errors-1.7.2.tgz".

12 0.832 verbose 0.4227839 Performing "GET" request to "https://registry.yarnpkg.com/on-finished/-/on-finished-2.3.0.tgz".

12 1.163 verbose 0.7540239 Error: unable to get local issuer certificate

12 1.163 at TLSSocket.onConnectSecure (_tls_wrap.js:1502:34)

12 1.163 at TLSSocket.emit (events.js:314:20)

12 1.163 at TLSSocket._finishInit (_tls_wrap.js:937:8)

12 1.163 at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:711:12)

12 1.166 error An unexpected error occurred: "https://registry.yarnpkg.com/bytes/-/bytes-3.1.0.tgz: unable to get local issuer certificate".

12 1.166 info If you think this is a bug, please open a bug report with the information provided in "/app/yarn-error.log".

12 1.166 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

---

executor failed running [/bin/sh -c yarn install --production --verbose]: exit code: 1

Q: Are there any glaring errors made to the original script that need to be corrected? Q: Any suggestions as to my next steps?

Thank you, Stephen

[wald-tq]

@stephenpatten: your Dockerfile looks good to me. Can't spot any errors. To debug the issue I would try the setup manually on command line and check if the certificate file is correct and contains all the certificates of the chain.

[icecream17]

renovate is getting this error; am i doing something wrong?

https://github.com/icecream17/solver/pull/115#issuecomment-948466744

[gabsoftware]

On Windows I solved the issue by adding the following environment variable: NODE_EXTRA_CA_CERTS=C:\path\to\ca.pem where ca.pem is the chain certificate of the corporate CA that I exported from Firefox. It will not work if you also set NODE_OPTIONS=--use-openssl-ca so only set NODE_EXTRA_CA_CERTS.

[Uzef1997]

I had the same issue under the same circumstances but I ran this command yarn config set strict-ssl false and it worked.

It worked Thanks buddy