npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Question

I am trying all possible ways to create a React application. I have tried Maven, and now I am trying create-react-app from Facebook Incubators.

When I tried to run the command create-react-app my-app in npm environment, it worked on my personal system with no issues. But, when I tried the same command in my work environment, I encountered the following error on my command line:

npm ERR! node v6.10.2
npm ERR! npm  v3.10.10
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

npm ERR! unable to get local issuer certificate
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

I also couldn't use `sudo` when I ran `npm install aws-sdk`. Running `sudo npm install aws-sdk` caused this error for me. — Kyle Bridenstine, Jun 06 '18 at 17:16
In case anybody attempted some variation of `npm config set cafile` before using another solution, that may be causing your UNABLE_TO_GET_ISSUER_CERT_LOCALLY issue. You can surgically undo that setting or if you are likely me and want a clean start, just rename your `.npmrc` — Telos, Sep 23 '20 at 22:26
In my case only `npm config set strictSSL false` worked... I use lerna - maybe that's the reason — Krzysztof Raciniewski, May 23 '22 at 13:28

Dinesh · Accepted Answer · 2019-05-13T15:57:37.510

465

A quick solution from the internet search was npm config set strict-ssl false, luckily it worked. But as a part of my work environment, I am restricted to set the strict-ssl flag to false.

Later I found a safe and working solution,

npm config set registry http://registry.npmjs.org/

this worked perfectly and I got a success message Happy Hacking! by not setting the strict-ssl flag to false.

edited May 13 '19 at 15:57

answered Aug 25 '17 at 15:29

Dinesh

7,569
4
11
20

5

I too, just reverted to using the HTTP version of the NPM repository (as opposed to https://registry.npmjs.org/), since my work proxy was causing issues (as it acts as a MITM, causing certification verification issues) One day I will figure out the certificate issue, but I just needed to download a package, dang it! – Robert Dundon Oct 06 '17 at 14:00
For me I did this but I also couldn't use `sudo` when I ran `npm install aws-sdk`. Running `sudo npm install aws-sdk` caused this error for me. – Kyle Bridenstine Jun 06 '18 at 17:15
3

I was getting the same error shown on this post so I ran `npm config set strict-ssl false` and `npm config set registry http://registry.npmjs.org/ ` but I was still getting the error when running `sudo npm install aws-sdk` but when I dropped the `sudo` part and just ran `npm install aws-sdk` it worked. – Kyle Bridenstine Jun 06 '18 at 17:34
for me nothing other than the setting of `npm config set strict-ssl false` does not work. I feel this is something the `node.js` and `npm` team should look into and document with a proper work around if it is not fixable for them. – RinoTom Oct 16 '18 at 09:37
I found this happened on Ubuntu if you install the `npm` package using `--no-install-recommends` as it does not get the `ca-certificates` package. – Krenair Nov 23 '18 at 16:20
As you mentioned you were facing the same issue with the maven also, how did you solve it? As we are setting this only for npm it resolved for it, but want to know how its solved for maven? – Pujan Shah May 09 '19 at 07:32
@PujanShah : I would say with maven you got to change the settings.xml file with the one being used widely across your enterprise, these issues will occur if you're connected to your enterprise network which blocks network connectivity. With the change in settings.xml one would be doing a kind of adding proxy to accomplish task of getting dependencies. – whoami - fakeFaceTrueSoul May 10 '19 at 19:48
@srinivasy: The proxy is already set there in the settings.xml file, and for npm also proxy details configured in .npmrc file. The thing is earlier it was working but suddenly getting this certificate issue. As per me it is because of the enterprise network only but not able to figure out what might causing this issue. – Pujan Shah May 13 '19 at 05:39
@SivaniPatro with this command you are configuring your npm to use default and `request to http://registry.npmjs.org/pkgname will 301 (redirect) over to https://registry.npmjs.org/pkgname` [src]: https://blog.npmjs.org/post/142077474335/npm-registry-is-now-fully-https – Dinesh May 13 '19 at 15:46
@PujanShah can you be specific with the issue faced with maven. I have encountered with `PKIX path build failed error` with maven and I resolved it by importing my network certificates to keystore. – Dinesh May 13 '19 at 16:01
@Dinesh: I am also facing the same PKIX path build failed error. Let me share errors with npm and maven. npm npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY npm ERR! request to https://registry.npmjs.org/@angular%2fcore failed, reason: u nable to get local issuer certificate – Pujan Shah May 14 '19 at 12:39
maven org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target – Pujan Shah May 14 '19 at 12:40
As while executing in browser it is allowing with valid certificate. But from local only it is restricting somehow. – Pujan Shah May 14 '19 at 13:18
@PujanShah This can happen if Java does not recognize the ROOT CA Authority for a remote server it tries to access. Export the security certificate from the chrome browser and save as "certName.der" Import cert into cacerts file using `keytool -import -alias example -keystore JAVACERTPATH/cacerts -file pathofCertName.der` *If `jssecacerts` also exists at same path as cacerts, import all certs from jssecacerts into cacerts using `keytool -importkeystore -srckeystore JAVACERTPATH/jssecacerts -destkeystore JAVACERTPATH/cacerts` **JAVACERTPATH:C:/Program Files/Java/jrexxxxxx/lib/security – Dinesh May 14 '19 at 16:37
@Dinesh: My concern is to find common solution for both(npm,maven) as some days before it was working for both in corporate environment. As suddenly it stopped working for both I am not able to find the exact cause. – Pujan Shah May 15 '19 at 05:55
One more thing is if I try to hit the url https://registry.npmjs.org in the browser, it is giving the response by using proxy. So logically it also should allow from cmd also as proxy we are configuring in .npmrc file. – Pujan Shah May 15 '19 at 06:48
16

Downvoted as this is an insecure unencrypted channel and your workplace would not appreciate pulling libraries over HTTP only. A better approach is Jordan's answer which allows you to define the trust store containing your company's certificates which means you can pull the libraries safely over an encrypted channel. – pmckeown Mar 01 '21 at 03:57
Disabling security isn't a solution. Alternatively it is a bad solution. See answer by Jordan for a good solution. – Stian Jørgensrud May 12 '22 at 12:21
6

Is there an official StackExchange flag for "technically answers the question but is a terrible idea"? We really need that here. You want supply-chain attacks? Because this is how you get supply-chain attacks. – Coderer Jul 25 '22 at 15:36

score 81 · Answer 2 · edited Jan 03 '22 at 19:54

81

what may be happening is your company decrypts certain traffic and re-encrypts it with their certificate (which you probably already have in your keychain or trusted root certificates)

if you're using node 7 or later I've found this fix to be compatible with node and node-gyp (for Windows you'll need to do this differently, but you basically just need to add this environment variable):

export NODE_EXTRA_CA_CERTS="absolute_path_to_your_certificates.pem" (in Windows you may need to remove the quotes)

the pem file can have multiple certificates: https://nodejs.org/api/cli.html#node_extra_ca_certsfile

make sure your certificates are in proper pem format (you need real line breaks not literal \n)

I couldn't seem to get it to work with relative paths (. or ~)

This fix basically tells npm and node-gyp to use the check against the regular CAs, but also allow this certificate when it comes across it

Ideally you would be able to use your system's trusted certificates, but unfortunately this is not the case.

edited Jan 03 '22 at 19:54

isherwood

58,414
16
114
157

answered Mar 09 '18 at 16:07

Jordan

5,085
7
34
50

9

Where can i find .pem file in Windows. I searched the entire HardDisk for pem file found few levels deep inside Windows\System32. But it's not working – Sanchit Jain May 20 '20 at 04:37
5

perfect.. we have a zscaler proxy. I downloaded public der certificate, converted to base64 encoded crt and in dockerfile added RUN export NODE_EXTRA_CA_CERTS=" – Apurva Singh Jan 26 '21 at 20:47
To expand on this for mac/os x homebrew users it will be something like `export NODE_EXTRA_CA_CERTS=/System/Volumes/Data/opt/homebrew/etc/ca-certificates/cert.pem` (found with `find /System/Volumes/Data/opt/homebrew -name "*.pem"`). – kreek Apr 26 '22 at 17:07
3

This is the best practice, nearly all other answers are potentially very dangerous as those inferior answers allow MITM attacks. – Michael Aug 30 '22 at 09:04
1

Thanks! I too have Zscaler. I found the certificate locally on my machine and exported it by following [this guide](https://community.tenable.com/s/article/How-to-export-certificate-in-PEM-format-for-import-from-Windows). – Nikola Malešević Feb 16 '23 at 09:29

score 45 · Answer 3 · answered Feb 17 '20 at 16:24

45

After trying out every solution I could find:

Turning off strict ssl: npm config set strict-ssl=false
Changing the registry to http instead of https: npm config set registry http://registry.npmjs.org/
Changing my cafile setting: npm config set cafile /path/to/your/cert.pem
Stop rejecting unknown CAs: set NODE_TLS_REJECT_UNAUTHORIZED=0

The solution that seems to be working the best for me now is to use the NODE_EXTRA_CA_CERTS environment variable which extends the existing CAs rather than replacing them with the cafile option in your .npmrc file. You can set it by entering this in your terminal: NODE_EXTRA_CA_CERTS=path/to/your/cert.pem

Of course, setting this variable every time can be annoying, so I added it to my bash profile so that it will be set every time I open terminal. If you don’t already have a ~/.bash_profile file, create one. Then at the end of that file add export NODE_EXTRA_CA_CERTS=path/to/your/cert.pem. Then, remove the cafile setting in your .npmrc.

answered Feb 17 '20 at 16:24

RyanDay

1,856
16
23

1

Fourth option was a charm; `process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;` – tomdemuyt Jul 17 '20 at 13:20
1

In case of zscaler also, the fourth option (`set NODE_TLS_REJECT_UNAUTHORIZED=0`) is really the one that helped me. I had this issue in context of Electron. There is one more issue that electron build URL which is a git repo that seems to be blocked or not working. That needs to be fixed. – Hemant Jun 11 '21 at 06:48
I have tried all answers provided above, none of them worked for me except `set NODE_TLS_REJECT_UNAUTHORIZED=0` – Franva Aug 16 '21 at 00:03
With Zscaler on, `set NODE_TLS_REJECT_UNAUTHORIZED=0` can help me. – Buaban Nov 24 '21 at 06:08
@Buaban @Franva - I am on Zscaler too. Where exactly did you set this property ? In docker file ? something like this `RUN set NODE_TLS_REJECT_UNAUTHORIZED=0` . – Uday Kiran Mar 16 '22 at 11:00
@UdayKiran I don't use Docker so I'm not sure about your case. For my case, I run `set NODE_TLS_REJECT_UNAUTHORIZED=0` and then `npm install` on cmd on my laptop . I guess you have to add the command `RUN set NODE_TLS_REJECT_UNAUTHORIZED=0` above the command `RUN npm install` in your Dockerfile. – Buaban Mar 29 '22 at 02:05
what are the dangers? – SuperUberDuper Dec 13 '22 at 12:28

score 42 · Answer 4 · answered Oct 06 '17 at 14:15

Changing the NPM repo URL to HTTP works as a quick-fix, but I wanted to use HTTPS.

In my case, the proxy at my employer (ZScaler) was causing issues (as it acts as a MITM, causing certification verification issues)

I forgot I found a script that helps with this and Git (for cloning GitHub repos via HTTPS had the same issue) and forked it for my use

Basically, it does the following for git:

git config --global http.proxy http://gateway.zscaler.net:80/
git config --system http.proxy http://gateway.zscaler.net:80/

and for Node, it adds proxy=http://gateway.zscaler.net:80/ to the end of c:\Users\$USERNAME\npm\.npmrc

That solved the issue for me.

You might want to check which ZS cloud your company is configured in. Basically, check `ip.zscaler.com` for the cloud name and set that in the URL. Eg: if it says `zscalertwo.net` then replace with the following URL: `gateway.zscalertwo.net` — Rahul Bharadwaj, Jan 03 '20 at 07:00

score 14 · Answer 5 · answered Oct 01 '18 at 12:51

14

Had the same error. Looks like it is related to SSL certificates. If you are using NPM for public packages (don't need the security of HTTPS) you can turn off strict SSL key validation with the following command.

This might be the simplest fix if you're just looking to install a few publicly available packages one time.

npm config set strict-ssl=false

answered Oct 01 '18 at 12:51

Jason Geiger

1,912
18
32

9

There is inherent risk of doing this, if you are a victim of a nefarious man-in-the-middle attack the package could be modified as you download it. – Alex KeySmith Oct 25 '18 at 10:42
2

@AlexKeySmith You are right. However, the odds are pretty low. This might be the only option for some. Caveat Emptor – Jason Geiger Oct 29 '18 at 14:46

score 11 · Answer 6 · answered May 25 '21 at 13:08

11

What is your OS? On Ubuntu I was able to fix this error by running

npm config set cafile /etc/ssl/certs/ca-certificates.crt

to tell npm to use my system's certificate store. Debian uses the same system certificate path, I'm less familiar with other distributions and OSes.

(I don't like the other answers that all turn off certificate verification and allow man-in-the-middle attacks.)

answered May 25 '21 at 13:08

Marius Gedminas

11,010
4
41
39

1

Do you know what certificate store it uses by default? I was surprised that this fix worked, but it did the charm for me. – Mark P Neyer Apr 27 '22 at 01:51

score 7 · Answer 7 · answered Jan 27 '22 at 13:37

7

Zscalar update policy help me to make network calls, after trying couple of work around mentioned.

Workarounds tried Before Zscalar update:

npm config set strict-ssl false
npm config set registry http://registry.npmjs.org/
set NODE_TLS_REJECT_UNAUTHORIZED=0

Update policy(Highlighted in yellow) in Zscalar app helped me to fix "unable to get local issuer certificate" issue.

answered Jan 27 '22 at 13:37

Sande

313
3
7

Same issue here. Thanks for sharing! – Marshal May 05 '23 at 00:37

score 6 · Answer 8 · answered Jun 03 '20 at 04:42

6

In my case, at some point I set my global config to use a cert that was meant for a project.

npm config list

/path/to/global/.npmrc
NODE_EXTRA_CA_CERTS = "./certs/chain.pem"

I opened the file, removed the line and npm install worked again.

answered Jun 03 '20 at 04:42

joels

7,249
11
53
94

score 6 · Answer 9 · answered Jan 19 '21 at 23:54

6

For me the issue was VPN, I disconnected the VPN and "npm i" command worked with no fail.

answered Jan 19 '21 at 23:54

mask

6,172
3
24
23

Yep, VPN agent running locally was the reason. Try stopping the service and do the "npm i". – Dinesh Halpage May 25 '23 at 14:33

score 6 · Answer 10 · answered Mar 13 '21 at 06:20

6

npm config set registry http://registry.npmjs.org/

If this code trick didn't work for you then try to run your application from home directory.. It worked for me.

answered Mar 13 '21 at 06:20

Pradeep Shukla

61
1
3

I tried all other options but nothing worked as I am behind a Enterprise Network Firewall. However above helped me in installing a new react project. – Sumit Aug 26 '21 at 14:09

score 0 · Answer 11 · answered Sep 23 '19 at 22:27

0

I had this error when I tried to update npm, but had a really old version (1.3.6 !) installed from yum in AWS Linux. I was able to manually install a newer npm version and everything was remedied.

answered Sep 23 '19 at 22:27

drussey

665
4
9

score 0 · Answer 12 · answered Dec 15 '22 at 06:03

Setting NODE_EXTRA_CA_CERTS in the terminal did not work for me for some reason, same like how export http_proxy=proxyurl in the terminal didn't work and instead I needed to do a npm config set proxy yourproxyurl:port and npm config set http-proxy yourproxyurl:port (you can verify existing proxy, if any, via npm get proxy).

I had to supply --cafile parameter for it to explicitly work, something like this:

sudo npm install -g cordova --cafile /System/Volumes/Data/opt/homebrew/etc/ca-certificates/cert.pem

score 0 · Answer 13 · answered Mar 30 '23 at 23:29

0

This is not necessarily a fix, but the way I resolved this was by switching node versions with nvm use <version>.

I looked at the logs for the failed npm i and noticed it was using node 19... didn't even know it went up that high!

answered Mar 30 '23 at 23:29

saylestyler

389
1
4
20

score -1 · Answer 14 · answered Sep 01 '21 at 10:37

Its very easy to fix this issue.

ERROR

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY 
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/yarn failed, reason: unable to get local issuer certificate  
npm ERR! A complete log of this run can be found in:

Solution

If you are in organization or intranet then use below commend.

npm config set registry https://type_your_org_repo_fqdn

other wise

npm config set registry http://registry.npmjs.org/

I upgraded my node and using `nvm` on linux I changed my node version to the latest and everything worked fine — Felix Orinda, Nov 03 '21 at 13:01

score -1 · Answer 15 · answered Nov 17 '21 at 16:00

-1

Some schematics use yarn under the hood and throw the same error.

yarn config set registry http://registry.npmjs.org

answered Nov 17 '21 at 16:00

Ryan

550
4
9

score -1 · Answer 16 · answered Apr 14 '22 at 18:02

This is what worked for me (on a Mac 10.15.7).

My issue was I tried this command...

npm install eslint --save-dev

...and got this error message...

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/eslint failed, reason: unable to get local issuer certificate

...I googled one of the error messages and ended up on the stack overflow issue you are reading now.

I then tried one of the suggestions above, i.e.

npm config set registry http://registry.npmjs.org/

...then, I again tried...

npm install eslint --save-dev

...and got the same error message.

Then I did something unique. I connected to my company's vpn. (This is the opposite of what someone (i.e. @mask) suggested. They said they turned OFF their vpn!)

I tried...

npm install eslint --save-dev

...for the third time and it worked like a charm. Problem solved. (-:

(Aside: I wonder if my first attempt to fix this, i.e.

npm config set registry http://registry.npmjs.org/

...was necessary?)

Using http is not the solution, it's a workaround but also a bad practice. Not sure why you get the error though. Maybe you have some company proxy? — Michael, Aug 30 '22 at 08:52

score -1 · Answer 17 · answered Jun 17 '22 at 23:54

-1

I deleted the .npmrc file from C:\Users\MyUser and it worked

answered Jun 17 '22 at 23:54

Pedro Rabbi

193
1
12

score -4 · Answer 18 · answered May 09 '22 at 08:42

-4

doing the following steps solved it for me.

npm config set strict-ssl=false
npm config set registry http://registry.npmjs.org/
npm config set cafile /path/to/your/cert.pem
set NODE_TLS_REJECT_UNAUTHORIZED=0

answered May 09 '22 at 08:42

Cat

324
2
8

2

Wrong answer. It is unsafe to set strict-ssl to false, and unset to set NODE_TLS_REJECT_UNAUTHORIZED to 0. – Michael Aug 30 '22 at 08:48

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

18 Answers18

Linked