Same here

`Yarn version:
0.16.1

Node version:
5.11.1

Platform:
win32 x64

yarn manifest:
No manifest

bower manifest:
No manifest

Lockfile:
No lockfile

Trace:
Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket.strict-ssl "false" (_tls_wrap.js:1065:38)
at emitNone (events.js:80:13)
at TLSSocket.emit (events.js:179:7)
at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:593:8)
at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:425:38)
`

I have set strict-ssl "false"

Hi, make sure you're running yarn 0.16.0 or newer.

Then download the current certificate, and verify with you operations team that it is the correct one:

openssl x509 -in <(openssl s_client -connect www.google.com:443  -prexit 2>/dev/null)

replace www.google.com:443 with the correct servername and port. You may also need to add -servername www.google.com. For those who get a different error: error unable to verify the first certificate, you should get the CA instead of server certificate in this step.

Next, decide if you (and the company you work for) want to be protected from man in the middle attacks. An MITM attack in the case could send you the wrong/malicious code and take your registry credentials. If you can accept this risk, you can just set strict-ssl to false. Please remember that while you might trust your day-to-day home/work network, you might not have the same trust on hotel/conference/airport networks.

_Linux setup_
On Fedora/RHEL/CentOS/Debian/Ubuntu I would add it to the OS trust store, and configure yarn to use the OS trust store. This will also make the registry trusted by your browser, and tools like curl/wget, openssl.

Fedora/RHEL/CentOS

Add the CA or self signed certificate to /etc/pki/ca-trust/source/anchors/.
Run sudo update-ca-trust extract. If you use nodejs provided by Red Hat, that's it!

If you have compiled nodejs yourself, or have downloaded nodejs from https://nodejs.org/, you need to configure yarn to use the OS trust store instead of the included static nodejs trust store:

yarn config set cafile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Debian/Ubuntu

This is similar to the instructions for Red Hat Enterprise Linux:

1. Add your .crt file to /usr/local/share/ca-certificates
2. sudo update-ca-certificates
3. yarn config set cafile /etc/ssl/certs/ca-certificates.crt

_Alternative custom bundle setup (for example for macOS)_

If you also want to be able to this repository, and other repositories over https, and do not want to/can not update the OS trust store, you need to make a cafile containing your self signed certificate and a bundle of trusted certificate authorities like the one provided by Mozilla. The author of curl makes such a bundle available in the correct format as cacert.pem (more info).

1. Download cacert.pem - for example to $HOME/.cacert.pem
2. Add your certificate or CA to that file
3. yarn config set cafile $HOME/.cacert.pem

@chlunde Thanks for the detailed instruction
I'm using [email protected] Since it's trusted internal network, I'm ok with non ssl verification but I'm still getting "self signed certificate in certificate chain" with strict-ssl : “false”

@rick-li Could you try the cafile alternative instead? I haven't tested strict-ssl myself, only cafile.

@chlunde With cafile, I'm getting Error: unable to get local issuer certificate

I'm having the same problem with an artifactory repository. Would be really nice to be able to use yarn

Oh, and I'm on windows, so none of the examples of cafile stuff work for me :)

yarn config set strict-ssl false works for me with latest yarn.

guys, if you have any issue with self sign certificate with yarn install just configure below in .yarnrc file and run
registry "url"
cafile null
strict-ssl false

it worked for me