Node-gyp: Error: self signed certificate in certificate chain

Any ideas why this might be happening?

Have the same problem with node 4.1 and node-gyp 3.0.3:

gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1000:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:567:8)
gyp ERR! System Windows_NT 6.1.7601
gyp ERR! command "C:\\Program Files (x86)\\nodejs\\node.exe" "C:\\Program Files (x86)\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "configure" "--fallback-to-build" "--module=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32\\debug.node" "--module_name=debug" "--module_path=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32"
gyp ERR! cwd C:\Users\user\AppData\Roaming\npm\node_modules\node-inspector\node_modules\v8-debug
gyp ERR! node -v v4.1.0
gyp ERR! node-gyp -v v3.0.3
gyp ERR! not ok

Same problem. It doesn't seem to be respecting my global configuration settings for some reason. basically impossible to install behind a corporate proxy.

Same issue here, can we get a fix for this pelase!

i found this comment on another issue and it seems to work https://github.com/nodejs/node-gyp/issues/448#issuecomment-44061248. just set that environment variable. This is a hacky work around though, node-gyp should respect npmrc.

node-gyp doesn't use the npm registry, it downloads the tarball from https://nodejs.org/.

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 in the environment will disable verification but you are setting yourself up for a MitM attack. Closing, not a bug but a feature.

why close this? it seems to be a pretty common issue for a lot of people downloading packages that require node-gyp, and I just installed newest nodejs and npm and am still getting this issue. Using the NODE_TLS_REJECT_UNAUTHORIZED=0 may work, but it is a hack fix.

Knowing what you know, what would you have node-gyp do differently?

knowing what I know, I know that this has surpassed my scope of knowledge as far as the internal workings of node-gyp, but would it be possible to have a config file for just node-gyp in which you can set settings like this?

Excuse my ignorance but how do you use NODE_TLS_REJECT_UNAUTHORIZED=0

I'm on Windows using cmd

Do I set this in the: npm confit set NODE_TLS_REJECT_UNAUTHORIZED=0

Config* sorry

from command line you can do:
set NODE_TLS_REJECT_UNAUTHORIZED=0
npm install [mypackage]

Or you can set it as a windows environment variable but I would recommend the first option.

Cool thanks @weagle08

would it be possible to have a config file for just node-gyp in which you can set settings like this?

It's certainly possible but it's not strictly necessary. node-gyp respects the traditional https_proxy environment variable (as does npm, I think.)

Unfortunately where I work no proxy is provided so these variables don't help. My company plays man in the middle and injects certs and there is nothing I can do about it.

Same issues with the cert injection. I had to modify the node gyp source to remove reference to https:// and rebuild it. The problem is that it doesn't respect the tls config when downloading the tarball.

Since node-gyp is a tool _for_ nodejs, but not resides _inside_ of nodejs, I can fully understand why it should not use the node/npm configs for setting the network environment. But I must also agree with the others, that node-gyp should provide it's (optional) own config file, because in my case the system proxy environment is not enough, too: My company's proxy also established a MitM scenario, so I need a strict-ssl=false.

The 'workaround' with NODE_TLS_REJECT_UNAUTHORIZED=0 works, but it is not very user friendly:

• not well documented
• every developer has always to setup his own environment especially for node-gyp
• counter-intuitive if other equivalent tools (in terms of downloading stuff) have a config file for this setting like bower, npm, Atom, etc

https://github.com/nodejs/node-gyp/pull/837 - adds a --cafile option.

so there is now a command line option to provide ca file ... any idea how to engage that when node-gyp is getting called by the NPM install process? i'm not the one calling node-gyp, npm is, via the project file of the module being installed. the solution seems to remain the NODE_TLS_REJECT_UNAUTHORIZED=0 hack.

If you have the cafile option set in your .npmrc or specified on the command line, then node-gyp should inherit that automatically when invoked by npm.

The cafile option is seemingly ignored by some part of the build process. I could only get this to work with NODE_TLS_REJECT_UNAUTHORIZED=0.

I am on RHEL7 and I tried export NODE_TLS_REJECT_UNAUTHORIZED=0 but still getting SELF_SIGNED_CERT_IN_CHAIN error. The two modules that are failing to install are bcrypt and libxmljs.

> [email protected] install /lib/node_modules/libxmljs
> node-gyp rebuild

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.36"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/lib/node_modules/libxmljs/.node-gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: SELF_SIGNED_CERT_IN_CHAIN
gyp ERR! stack     at SecurePair.<anonymous> (tls.js:1381:32)
gyp ERR! stack     at SecurePair.emit (events.js:92:17)
gyp ERR! stack     at SecurePair.maybeInitFinished (tls.js:980:10)
gyp ERR! stack     at CleartextStream.read [as _read] (tls.js:472:13)
gyp ERR! stack     at CleartextStream.Readable.read (_stream_readable.js:341:10)
gyp ERR! stack     at EncryptedStream.write [as _write] (tls.js:369:25)
gyp ERR! stack     at doWrite (_stream_writable.js:226:10)
gyp ERR! stack     at writeOrBuffer (_stream_writable.js:216:5)
gyp ERR! stack     at EncryptedStream.Writable.write (_stream_writable.js:183:11)
gyp ERR! stack     at write (_stream_readable.js:602:24)
gyp ERR! System Linux 3.10.0-327.10.1.el7.x86_64
gyp ERR! command "node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /usr/lib/node_modules/libxmljs
gyp ERR! node -v v0.10.36
gyp ERR! node-gyp -v v3.3.0
gyp ERR! not ok
npm ERR! Linux 3.10.0-327.10.1.el7.x86_64
npm ERR! argv "node" "/usr/bin/npm" "install" "-g" "libxmljs"
npm ERR! node v0.10.36
npm ERR! npm  v3.8.1
npm ERR! code ELIFECYCLE

This would be much better addressed by fixing https://github.com/nodejs/node/issues/3159.

Playing whack-a-mole with npm, Atom, VS code, cUrl, Firefox, &c, &c, &c each using their own cert store when the OS supplies one is an unmanageable mess.

If that's not immediately supported, a standard cafile environment variable that's honored by all parties would at least help.

Can this be helpful?
git config --global http.sslVerify false

No, because I don't want to disable all certificate validation. Decrypting network hardware (substituting their local certs) are used in high-security environments, and accepting every certificate from any source would radically undermine that.

I work in an environment where our proxies also use this self-signed cert substitution technique. Is there a particular reason to not expect security appliance vendors and operators to start using signed certificates for their appliances? I think the only way we will see a change in behavior is to continue to place that expectation on the vendors and operators. And it's not just Node that has these "issues" dealing with self-signed certs. Every application I support that interacts with the internet is a headache because of this.

@qbradq And how would you suggest security appliance vendors obtain such a certificate? The mere existence of such a signed wildcard certificate would be a huge security risk for the rest of the internet, I think.

This kind of man-in-the-middle interception should only be possible by modifying the local certificate store, which is what npm/node-gyp are complaining about.

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

"Works" in the sense that it undermines TLS. It's a useful temporary hack
and troubleshooting option, but an irresponsible long-term setting.
https://www.npmjs.com/browse/keyword/NODE_TLS_REJECT_UNAUTHORIZED =
"insecure"

On Wed, Mar 22, 2017, 02:34 Rahul Bisht notifications@github.com wrote:

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/nodejs/node-gyp/issues/695#issuecomment-288344499,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AH8mJ4szCuQ0Zp27LUcl14CdhRk0Jccxks5roOshgaJpZM4FuPvh
.

env export NODE_TLS_REJECT_UNAUTHORIZED=0 worked for me too!

For me gyp rebuild could not find binding.gyp and it was trying to download it.
Try running:

sudo npm install -g --unsafe-perm binding

I am facing the same issue while connecting as a REST client implemented in Node JS with authentication and getting error as below:

{ Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' }

Few required entries in .npmrc file are as below:

registry=https://registry.npmjs.org/
strict-ssl=false
cafile=

and also running command: npm config set strict-ssl false
but still getting this issue with my rest client which is implemented with Node JS as below.

var https = require('https');
var fs = require('fs');

var options = {
host: '',
port: '',
path: '',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization': '',
},
ca: [ fs.readFileSync('<.jks file path>') ],
checkServerIdentity: function (host, cert) {

    if (host != cert.subject.CN)
        return 'Incorrect server identity';// Return error in case of failed checking.
},
 // rejectUnauthorized:false,
body: '<DATA inside request BODY>'
};

var req = https.request(options, function(res) {
console.log('request function')
console.log("Response: ", res);
res.on('data', function(d) {
'' +
'?' });
});

req.end();

req.on('error', function(e) {
console.error(e);
});

Kindly suggest the solution.

your issue is not exactly what is being discussed in this thread and your settings in the npmrc file have not affect on how nodejs is operating... You can use the solutions mentioned above to "fix" your issue.

Thank you for your reply and sorry if it is not exactly what is being discussed in this thread
I used NODE_TLS_REJECT_UNAUTHORIZED=0 as you suggested but I am not able to resolve.

I am getting below error as a response:

Response:  IncomingMessage {
  _readableState: 
   ReadableState {
     objectMode: false,
     highWaterMark: 16384,
     buffer: BufferList { head: null, tail: null, length: 0 },
     length: 0,
     pipes: null,
     pipesCount: 0,
     flowing: null,
     ended: false,
     endEmitted: false,
     reading: false,
     sync: true,
     needReadable: false,
     emittedReadable: false,
     readableListening: false,
     resumeScheduled: false,
     defaultEncoding: 'utf8',
     ranOut: false,
     awaitDrain: 0,
     readingMore: true,
     decoder: null,
     encoding: null },
  readable: true,
  domain: null,
  _events: { end: [Function: responseOnEnd] },
  _eventsCount: 1,
  _maxListeners: undefined,
  socket: 
   TLSSocket {
     _tlsOptions: 
      { pipe: null,
        secureContext: [Object],
        isServer: false,
        requestCert: true,
        rejectUnauthorized: false,
        session: undefined,
        NPNProtocols: undefined,
        ALPNProtocols: undefined,
        requestOCSP: undefined },
     _secureEstablished: true,
     _securePending: false,
     _newSessionPending: false,
     _controlReleased: true,
     _SNICallback: null,
     servername: null,
     npnProtocol: undefined,
     alpnProtocol: false,
     authorized: false,
     **authorizationError: 'SELF_SIGNED_CERT_IN_CHAIN',**
     encrypted: true,
.........
........

Same issue here; I have a cafile set, visible with 'npm config get cafile' - calls to node-gyp ignore this, still get the error about the self signed cert.

NPM_CONFIG_CAFILE=/etc/ssl/cert.pem npm install .

Same error.

npm by itself works fine here.

Note that npm_config_cafile is lowercase; I was able to get the build working correctly here with:

export npm_config_cafile=/etc/ssl/cert.pem

Thanks to the folks on #843 for sorting me out.

Thank you for your suggestion.
Do I need to set this npm_config_cafile in .npmrc file?
If yes, I set this in .npmrc and tried but did not work for me.
Do we have any way to ignore the hostname check?

I'm a windows user and getting the following error:

C:\npm_global>npm install -g fixmynode
C:\npm_global\npm_global\fix -> C:\npm_global\npm_global\node_modules\fixmynode\
client.js
C:\npm_global\npm_global\fixmynode -> C:\npm_global\npm_global\node_modules\fixm
ynode\client.js

> [email protected] install C:\npm_global\npm_global\node_modules\fixmynode\node_modu
les\userid
> node-gyp rebuild


C:\npm_global\npm_global\node_modules\fixmynode\node_modules\userid>if not defin
ed npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\bin\node-
gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node "" r
ebuild )
Building the projects in this solution one at a time. To enable parallel build,
please add the "/m" switch.
  userid.cc
  win_delay_load_hook.cc
..\src\userid.cc(9): fatal error C1083: Cannot open include file: 'unistd.h': N
o such file or directory [C:\npm_global\npm_global\node_modules\fixmynode\node_
modules\userid\build\userid.vcxproj]
gyp ERR! build error
gyp ERR! stack Error: `C:\Program Files (x86)\MSBuild\14.0\bin\msbuild.exe` fail
ed with exit code: 1
gyp ERR! stack     at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\
npm\node_modules\node-gyp\lib\build.js:276:23)
gyp ERR! stack     at emitTwo (events.js:106:13)
gyp ERR! stack     at ChildProcess.emit (events.js:191:7)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_proces
s.js:215:12)
gyp ERR! System Windows_NT 6.1.7601
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodej
s\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd C:\npm_global\npm_global\node_modules\fixmynode\node_modules\userid

gyp ERR! node -v v6.11.2
gyp ERR! node-gyp -v v3.4.0
gyp ERR! not ok
C:\npm_global\npm_global
`-- (empty)

npm ERR! Windows_NT 6.1.7601
npm ERR! argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\
node_modules\\npm\\bin\\npm-cli.js" "install" "-g" "fixmynode"
npm ERR! node v6.11.2
npm ERR! npm  v3.10.10
npm ERR! code ELIFECYCLE

npm ERR! [email protected] install: `node-gyp rebuild`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] install script 'node-gyp rebuild'.
npm ERR! Make sure you have the latest version of node.js and npm installed.
npm ERR! If you do, this is most likely a problem with the userid package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR!     node-gyp rebuild
npm ERR! You can get information on how to open an issue for this project with:
npm ERR!     npm bugs userid
npm ERR! Or if that isn't available, you can get their info via:
npm ERR!     npm owner ls userid
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR!     C:\npm_global\npm-debug.log
npm ERR! code 1

It looks like that error may be thrown also with nodemailer. In my situation with sails my services/EmailService.js was throwing the error upon lift and on send... this stack fixed both issues.

Sorry for the highjack but this thread owns "Error: self signed certificate in certificate chain" in google search

I tried a few suggestions here, but it still doesn't work.

https://github.com/nodejs/node-gyp/issues/695#issuecomment-145236715
https://github.com/nodejs/node-gyp/issues/695#issuecomment-311042102

export NODE_TLS_REJECT_UNAUTHORIZED=0
export npm_config_cafile=/etc/ssl/certs/guardianCA.pem
sudo npm install -g electron --unsafe-perm=true --allow-root

/usr/bin/electron -> /usr/lib/node_modules/electron/cli.js

> [email protected] postinstall /usr/lib/node_modules/electron
> node install.js

Downloading electron-v1.8.4-linux-x64.zip
Error: self signed certificate in certificate chain
/usr/lib/node_modules/electron/install.js:47
  throw err
  ^

Error: self signed certificate in certificate chain
    at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)
    at emitNone (events.js:106:13)
    at TLSSocket.emit (events.js:208:7)
    at TLSSocket._finishInit (_tls_wrap.js:639:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] postinstall: `node install.js`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

@NatoBoram That's not node-gyp, that's electron's postinstall script.

in command line in folder with NPM use this:
npm config set strict-ssl false

@StanTrolav Disabling the security will allow things to work, but it's a pretty bad idea (see above).

I was facing the same issue and realize that the request is actually blocked by firewall.
So make sure that the request is accessible from the browser.

It looks like that error may be thrown also with nodemailer. In my situation with sails my services/EmailService.js was throwing the error upon lift and on send... this stack fixed both issues.

Sorry for the highjack but this thread owns "Error: self signed certificate in certificate chain" in google search

Thanks elipeters. Your comment helped me fix my issue which was, indeed, related to sending email.

On npm

On Node Package Manager you have two options: bypass or set a certificate file.
Bypassing (risky!)
npm config set strict-ssl false --global
Setting a certificate file
npm config set cafile /path/to/your/cert.pem --global

The problems occur because the install scripts for those packages call node under the hood. When this happens, the proxy / cafile settings for npm are not always respected.

To work around this without disabling ssl completely, you can try this:

npm config set cafile /path/to/your/cert.pem --global
export NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem
npm install

Windows users: Having cafile=C:\path\to\my\companys\cafile.pem did not work. However removing that line and setting the environment variable below did work:

SET NODE_EXTRA_CA_CERTS=C:\\path\\to\\my\\companys\\cafile.pem

For noobs like me: the .pem file is just the base64 encoded certificates (.cer) of your proxy's CA root (and intermediate).

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

Not working for me, I used following command to se

set NODE_TLS_REJECT_UNAUTHORIZED=0

Can you tell me what more needs to be done ?

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

Not working for me, I used following command to se

set NODE_TLS_REJECT_UNAUTHORIZED=0

Can you tell me what more needs to be done ?

Linux

export NODE_TLS_REJECT_UNAUTHORIZED=0

Windows

set NODE_TLS_REJECT_UNAUTHORIZED=0

You can set an environment variable with set in Windows, but only in a script before it launches the process that will use it. You can also set it system-wide from the System Properties (_SystemPropertiesAdvanced.exe_), and that will affect any process that is started after you change it.

This is a not a good idea, though. It's fine to diagnose an issue, but shouldn't really be used beyond that. Setting this flag makes your https traffic in Node vulnerable to a man-in-the-middle attack. If you can't export the cert you need from your system cert store, save it from your browser's cert chain when you go to any https site, then point to it from your _~/.npmrc_ file, with cafile=path/to/exported.crt

You can set an environment variable with set in Windows, but only in a script before it launches the process that will use it. You can also set it system-wide from the System Properties (_SystemPropertiesAdvanced.exe_), and that will affect any process that is started after you change it.

You can also do setx /m NODE_TLS_REJECT_UNAUTHORIZED 0 (no =) to set it system wide permanently (for future console sessions). For the current console session you still need SET.

This is a not a good idea, though. It's fine to diagnose an issue, but shouldn't really be used beyond that. Setting this flag makes your https traffic in Node vulnerable to a man-in-the-middle attack. If you can't export the cert you need from your system cert store, save it from your browser's cert chain when you go to any https site, then point to it from your _~/.npmrc_ file, with cafile=path/to/exported.crt

I think the whole thrust of this thread is that node-gyp is ignoring ~/.npmrc. I have strict-ssl false configured and node-gyp is complaining about unsigned certificates.

I used
Set NODE_TLS_REJECT_UNAUTHORIZED=0
and
npm config set strict-ssl false

worked for me

This is article explains self-signed-certificate-in-chain-issues and how you can solve it in nodejs, npm, git, and python also.

Mean time I also found out that in my case the issue came cause of Kaspersky antivirus. Websites were showing Kaspersky Endpoint Security Root Certificate as the Certificate Issuer.

My IT team fixed this.