Yarn: error unable to get local issuer certificate

Created on 12 Oct 2016  ยท  42Comments  ยท  Source: yarnpkg/yarn

Hi

Do you want to request a _feature_ or report a _bug_?
Bug

If the current behavior is a bug, please provide the steps to reproduce.

ฮป yarn config set strict-ssl false
yarn config v0.15.1
success Set "strict-ssl" to "false".
Done in 0.06s.

yarn install

error unable to get local issuer certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:584:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)
info Visit http://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is the expected behavior?
I want to install my dependencies.
Am I missing something (maybe) ?
Thanks

Please mention your node.js, yarn and operating system version.

NodeJS: V6.7
yarn: v0.15.1
OS: Windows 7

Most helpful comment

I had the same issue under the same circumstances but I ran this command yarn config set strict-ssl false and it worked.

All 42 comments

I have the same issue because we are behind a proxy that adds self-signed ssl.

The same issue happens when strict-ssl is enabled but CAs are manually specified in .npmrc. Yarn seem to ignore all SSL configuration (Or required a different one but I couldn't find it in config)

ca[]="-----BEGIN CERTIFICATE-----\n..."

Having the same issue here at work!

having the same issue, (i am using self-certificate.)

Same issue, also setting the registry to a non-ssl variant or the original non-ssl registry.npmjs.org doesn't help.

Behind a corporate proxy so running into this issue as well.

I'm having the same exact error behind a corporate proxy :) . Can't wait for a fix :)

I have same issue, the network is behind proxy, set strict-ssl to false and also config registry as non-ssl, still not work. Better to fix it as soon as possible. Can't wait it.

I believe @TAGraves is working on this in #1025. I really want to see it land! ๐Ÿ‘

PR #736 will add support for cafile, which is another way to solve this issue, and unlike disabling strict-ssl, you will not be vulnerable to MITM attacks.

We've merged support for cafile and strict-ssl so this issue should be resolved.

I'm still having this issue with yarn v0.21.3

Update: Also on nightly build 0.22.0-20170303.1013

I found that if I duplicated the strict-ssl and other config from .npmrc into .yarnrc then things started working (or use yarn config set to add each part). I'm not sure why it didn't pick it up from .npmrc.

I had the same issue under the same circumstances but I ran this command yarn config set strict-ssl false and it worked.

Yes, that's what worked for me as well.

@sylvesteraswin did the same and it worked, thx ๐Ÿ‘

all broken in 0.23.1, setting registry to http and strict-ssl to false worked but now it does not. I have issues also with the certificate being intercepted and is why I need http.

I tried yarn config set strict-ssl false, but now am getting "404 Not Found". Mac Sierra, Node 8.1.2, yarn 0.27.5.

@JesterXL It worked for me. Using same version v0.27.5

yarn config set strict-ssl false worked for me!

npm config set strict-ssl

worked for me

Just making sure people don't blindly copy paste code here: DO NOT DISABLE STRICT SSL CHECKS.

Okay now that I have your attention, if you _know_ what exactly you are doing and what risks you are taking on with this, you may. Otherwise, just don't.

Is there a solution that doesn't involve exposing yourself to the dangers of using HTTP? I'd really like to be able to fix this without having to disable strict SSL.

Well it would be great to use STRICT SSL but the problem is the companies that swap out the certificates, they are actually making it hard not to use http just so they can spy on our traffic to make sure we are not doing something bad. Basically they trust the general public more than their employees. However there is an alternative, you need to get a copy of the certificate the company is swapping and set the cafile to the path of the certificate. This is not as simple a process as it should be but it does work and is safe. If its not working for you, then you need to upgraded your yarn version...

@damiandennis My company just implemented a new cert, so I registered it with my computer and it's been fine for pretty much everything other than yarn oddly enough. I'm on 1.1.0

@snood1205 Same situation. Everything else works fine except for yarn and pip

I think this is due to how the request library we rely on is architected:

strictSSL - if true, requires SSL certificates be valid. Note: to use your own certificate authority, you need to specify an agent that was created with that CA as an option.

So you should be able to explicitly whitelist your company certificate by setting the following config values in your .yarnrc:

  • ca
  • cafile
  • cert
  • key

@BYK This is a simple question, forgive me.

What's the format for setting these values? ca=~/Code/certs/mycert.crt ?

Also, there's a large disclaimer at the top of .yarnrc telling me not to modify it. do I have your permission to change it anyway? ๐Ÿ˜€

@ao Enjoy your non deterministic downloads!

yarn config set strict-ssl false worked for me. Thanks @sylvesteraswin

following command worked for me:
yarn config set strict-ssl false

@vrajpoot That is great! But please do not post it here as it might trick other incautious people to also turn off basic security and potentially download malware on their computers.

It it completely fine to like malware and on purpose infect your computer with it.... but it should stay as a research topic or a hobby thing not an actual thing that one would do on their work machine.

@brandonsturgeon has brought up very valid points that should be addressed and the maintainers of yarn should respond. He's not the only one wondering.

https://github.com/yarnpkg/yarn/issues/6578

Interesting, everyone saying "do not disable strict-ssl".
But no one ever succeeds.

yarn config set strict-ssl false worked for me. Thanks

I got this error when I tried to install jquery package. Upon tons of re-search finally found that Neither should one set the strict-ssl to false nor should edit the .yarnrc file. Clean and ideal approach for this is -
$ yarn config set cafile "/physical/path/to/certificate-file.pem" and that's it. I was successfully able to install jquery without turning off SSL after firing this command.

One can always check the configuration with yarn before and after above command yarn config list and ensure if the change we made above has taken place or not, which generally it does. :)

@sandipt27 I'm sorry that it took you so long to find the right way. You didn't find them probably because:

  1. The yarnrc documentation didn't mention this secret configuration parameter at all. The convention of "undocumented feature is experimental" doesn't seem to hold for Yarn.
  2. Even the NPM documentation is too brief to be useful. For example, it didn't specify what kind of expansion is done, which is probably platform dependent. Again, people have been using undocumented features for long.
  3. Actually cafile has been mentioned several times in this issue, but more people are simply spamming "hey disable SSL works for me" without thinking about security because they want their job quickly done. Who needs SSL anyway?

You probably can't fix 3, and 2 is in another scope, but maybe someone can come out and fix 1. If you come up with a Pull Request and want a second pair of eye I can probably help (I do have some general knowledge about cryptography), although I'm not able to approve it since I'm not a maintainer.

https://github.com/yarnpkg/yarn/issues/841#issuecomment-559037850
It doesn't work for me.

I set up a private repository(Verdaccio) with local issuer certificate
And made the same setting with a chained certificate file.
But Yarn has failed to download the packages.

It worked in NPM without any issue.

@sandipt27 I'm sorry that it took you so long to find the right way. You didn't find them probably because:

  1. The yarnrc documentation didn't mention this secret configuration parameter at all. The convention of "undocumented feature is experimental" doesn't seem to hold for Yarn.
  2. Even the NPM documentation is too brief to be useful. For example, it didn't specify what kind of expansion is done, which is probably platform dependent. Again, people have been using undocumented features for long.
  3. Actually cafile has been mentioned several times in this issue, but more people are simply spamming "hey disable SSL works for me" without thinking about security because they want their job quickly done. Who needs SSL anyway?

You probably can't fix 3, and 2 is in another scope, but maybe someone can come out and fix 1. If you come up with a Pull Request and want a second pair of eye I can probably help (I do have some general knowledge about cryptography), although I'm not able to approve it since I'm not a maintainer.

Will surely let you know for your needed help once I move towards Pull Request to fix it. :)

I'm seeing the same thing as well sitting behind a Nexus proxy group. The CA file setting is set with both NPM and Yarn at this point, but I still get the error.

โžœ yarn config list
yarn config v1.21.1
info yarn config
{
  'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-commit-hooks': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'bin-links': true,
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/1.21.1 npm/? node/v12.14.1 darwin x64',
  cafile: '/Users/XXXXXXX/pml_root_ca.pem',
  email: 'XXXXXXXXXXXXXXX',
  username: 'XXXXXXX'
}
info npm config
{
  '//registry.npmjs.org/:_authToken': XXXXXXXXXXXXXXXXXXXXX',
  cafile: '/Users/XXXXXXX/pml_root_ca.pem',
  registry: 'https://XXXXXXXXXXXXXXXXX/repository/npmjs/',
  '//nexus.pennmutual.com/repository/pml-npmjs/:_authToken': 'XXXXXXXXXXXXXXXXX',
  python: '/usr/bin/python'
}
โœจ  Done in 0.04s.

cdir-ui on ๎‚  feature/build_api is ๐Ÿ“ฆ v0.1.0 via โฌข v12.14.1 
โžœ yarn install
yarn install v1.21.1
[1/5] ๐Ÿ”  Validating package.json...
[2/5] ๐Ÿ”  Resolving packages...
[3/5] ๐Ÿšš  Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/dotenv/-/dotenv-8.2.0.tgz: unable to get local issuer certificate".
info If you think this is a bug, please open a bug report with the information provided in "/Users/XXXXXXX/Projects/cdir-ui/yarn-error.log
cdir-ui on ๎‚  feature/build_api is ๐Ÿ“ฆ v0.1.0 via โฌข v12.14.1 

IIUC, once you set ca or cafile in any way, yarn provides a TLS config to Node, _replacing_ any trust Node would set itself.
Instead, to be able to use both system's CA trust store (#6578) AND an extra CA, make sure yarn config list shows no ca / cafile configured, and try setting these env vars:

# Depends how Node was compiled, already default on many Linuxes but can't hurt:
export NODE_OPTIONS=--use-openssl-ca

export NODE_EXTRA_CA_CERTS=/path/to/file.crt
Was this page helpful?
0 / 5 - 0 ratings