yarn install crashes with the error self signed certificate in certificate chain
Do you want to request a _feature_ or report a _bug_?
Bug
What is the current behavior?
yarn install crashes with the error self signed certificate in certificate chain
If the current behavior is a bug, please provide the steps to reproduce.
- Create a
package.jsonwith a URL that has a self signed certificate. In this case it is a.tgzin our infrastructure. - Run
yarn install
What is the expected behavior?
yarn installexits without error.
Please mention your node.js, yarn and operating system version.
node: 6.3.1
yarn: 0.15.1
OS: OS X Sierra
adamduren
All 13 comments
Full stacktrace
➜ projectDir git:(master) ✗ yarn install
yarn install v0.15.1
[1/4] 🔍 Resolving packages...
error self signed certificate in certificate chain
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:584:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)
info Visit http://yarnpkg.com/en/docs/cli/install for documentation about this command.
This is SSL/TLS working as expected, it's rejecting invalid certs 😄 . If this validation was not performed, someone could perform a man-in-the-middle attack.
Try running Yarn like this:
NODE_TLS_REJECT_UNAUTHORIZED=0 yarn install
or running export NODE_TLS_REJECT_UNAUTHORIZED=0 before yarn install.
This is pretty dangerous though, as it totally turns off TLS validation for every request performed from Node.js while the environment variable is set. A better approach for internal services is to either use a real certificate (which could be a free Let's Encrypt one) or have an internal CA, install its root cert on developer machines, and then use certificates from that CA for internal services (this is what we do at Facebook)
Potentially we could add a setting to ignore TLS validation errors for particular hostnames (so we'd still validate for the regular npm server and only turn off validation for your internal server) but I don't know whether that's worth the maintenance overhead of keeping such a feature.
Daniel15
on 12 Oct 2016
Thank you, I believe I have the cert installed but will research further. Closing for now.
adamduren
on 12 Oct 2016
same problem here but on windows
if i run
set NODE_TLS_REJECT_UNAUTHORIZED=0
yarn install
yarn still fails with certificate error (caused by corporate proxy)
@adamduren is there some other option on windows?
JanEggers
on 7 Apr 2017
@JanEggers you can try executing below command:
yarn config set "strict-ssl" false
eneskoroglu
on 24 Apr 2018
I'm sitting behind a company Firewall which can decrypt any SSL traffic. Installing packages with a cafile config option within .yarnrc works fine, but it failed when running pngquant et. al. postinstall routines. Thank you!
mazedlx
on 1 Aug 2018
I had this issue in Windows 10 1709 16299.967.
I had to:
- Open PowerShell as Admin.
- Install yarn with chocolatey:
choco install yarn. - Close PowerShell.
- Open PowerShell as Admin.
- Execute yarn once:
yarn. - Configure the ssl:
yarn config set "strict-ssl" false.
JoanComasFdz
on 26 Mar 2019
works form me doing just:
Open powershell as admin
execute: yarn config set strict-ssl false.
mrojas18
on 18 Sep 2019
Please stop setting SSL to false , not only you can get hacked very badly but also all those innocent people using your services could be victims..
SSL was put in there for a reason , and it's a very logical.
Hichem-elAbassi
on 28 Apr 2020
Please stop setting SSL to false , not only you can get hacked very badly but also all those innocent people using your services could be victims..
SSL was put in there for a reason , and it's a very logical.
So what is the recommended and actual fix to this?
CatinhoCR
on 27 May 2020
Please stop setting SSL to false , not only you can get hacked very badly but also all those innocent people using your services could be victims..
SSL was put in there for a reason , and it's a very logical.So what is the recommended and actual fix to this?
Stop intercepting SSL/TLS calls with your own man-in-the-middle SSL cert. You are breaking TLS.
danesparza
on 1 Jun 2020
Please stop setting SSL to false , not only you can get hacked very badly but also all those innocent people using your services could be victims..
SSL was put in there for a reason , and it's a very logical.So what is the recommended and actual fix to this?
Stop intercepting SSL/TLS calls with your own man-in-the-middle SSL cert. You are breaking TLS.
Thanks for the reply..
Yes, I do understand this and wouldn't consider that an actual fix anyways. That answers what the fix shouldn't be, but my question is if there's an actual fix to this and how it should be addressed.
There seems to be a fix on Windows in the comments, but it seems like MacOS catalinas are throwing up this error. Setting up LetsEncrypt|OpenSSL etc just to be able to run this locally for development seems quite time consuming but I may be totally wrong, can't find any relevant info.
Edit: Seems like my issue was caused by a proxy.
CatinhoCR
on 5 Jun 2020
Please stop setting SSL to false , not only you can get hacked very badly but also all those innocent people using your services could be victims..
SSL was put in there for a reason , and it's a very logical.So what is the recommended and actual fix to this?
Add your proxy cert authority chain to yarn config (pem or crt):
yarn config set cafile C:\Users\youruser\.certificates\yourcertname.pem
felickz
on 11 Jun 2020
Related issues
NonPolynomial
·
3Comments
torifat
·
3Comments
jviotti
·
3Comments
catkins
·
3Comments
MunifTanjim
·
3Comments
Most helpful comment
@JanEggers you can try executing below command:
yarn config set "strict-ssl" false