61

I'm trying to migrate from npm to Yarn. When I tried to install dependencies through yarn, I'm getting this error.

unable to verify the first certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1055:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:580:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:412:38)

Same works fine with npm. Tried setting proxy, didn't help.Is there any configuration I need to change?

Aurora0001
  • 13,139
  • 5
  • 50
  • 53
Manikandan
  • 3,025
  • 2
  • 19
  • 28
  • Could you provide more details like 1. When did you encounter this error? Was it at `yarn install`? 2. What is the complete stack trace? Which npm package threw this error? – nikjohn Oct 15 '16 at 09:55

5 Answers5

115

If the certificate is unable to be verfied, you can open set strict-ssl to false. You should be able to configure this by runnning

yarn config set "strict-ssl" false -g

But the command is currently not working, see issue 980.

As an alternative you can navigate to C:\Users\\ and open .yarnrc and manually update it as follows:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
strict-ssl false
cgatian
  • 22,047
  • 9
  • 56
  • 76
  • 2
    "If you don't have the certificate available" --- what does this statement even mean? – zerkms Nov 23 '16 at 21:07
  • 1
    Edited for clarification. – cgatian Nov 23 '16 at 21:44
  • 2
    `yarn config set "strict-ssl" false -g` worked fine for me. Thanks – Alsty Jul 14 '20 at 08:45
  • "Manually edit the file that says not to manually edit it" . Probably good to say why that is worth doing.... – Garrett Motzner Oct 19 '21 at 19:36
  • 3
    You should probably mention that turning off strict-ssl could potentially open you up to man in the middle attacks unless your behind a tusted proxy. At the very least I'd suggest removing the -g so you set that setting only for yourself rather then forcing it on other users who may not know their ssl isn't secure any more. – dsollen Dec 28 '21 at 14:42
45

This means that more than likely you're behind a corporate proxy that uses a self signed certificate. I'm using version v0.16.1, and you can fix this by providing the public certificate to the yarn configuration like so:

yarn config set cafile <path-to-certificate.pem>
trigoman
  • 3,585
  • 2
  • 21
  • 20
  • This ended up working great for me, my one hangup was that I was using Docker so I needed to make sure to add the apk ca-certificates and copy the certs to the docker directory using my dockerfile config first. The SO answer (second ranked) helped with this: https://stackoverflow.com/questions/26028971/docker-container-ssl-certificates. From there it was adding the command you specified. – Khoward Sep 07 '21 at 13:44
3

For Yarn 2 and 3 you can add the following to your .yarnrc.yml file

enableStrictSsl: false

More Info in the Docs

Chris Stillwell
  • 10,266
  • 10
  • 67
  • 77
0

All security issues aside (Do not dismiss them lightly !!!)

the command for yarn 3 is :

yarn config set enableStrictSsl false

Matthieu Riegler
  • 31,918
  • 20
  • 95
  • 134
-3

I had this error when trying to install the React Devtools Extensions behind a corporate proxy with correct certificates setup locally. The yarn.lock file contains many references to https://registry.yarnkpg.com which was bypassing our corporate Nexus.

I was able to install by running:

yarn install --no-lockfile
mummybot
  • 2,668
  • 2
  • 28
  • 31