playwright: [Question]: "playwright install" command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error
“playwright install” command fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY error
I am using Windows 11 with Python 3.8.10
Here is the trace.
>playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)
at TLSSocket.emit (node:events:513:28)
at TLSSocket._finishInit (node:_tls_wrap:953:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
I found out that this error comes because my company has installed Zscaler on my laptop which is presenting its own certificate when browsed the Microsoft CDN website,
I imported the root and intermediate certificates to the cacert.pem file as mentioned in the below URL. https://community.zscaler.com/t/installing-tls-ssl-root-certificates-to-non-standard-environments/7261
Specifically I used the below commands,
> python -m certifi
D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc "c:\Users\amit_tendulkar\Downloads\Zscaler Root CA.crt" | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net).crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\Zscaler Intermediate Root CA (zscalerthree.net) (t)_.crt' | ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
> gc 'C:\Users\amit_tendulkar\Downloads\_.azureedge.net.crt'| ac D:\venv\amazon\lib\site-packages\certifi\cacert.pem
Still I got the same errors.
Then I referred to https://playwright.dev/docs/browsers#install-behind-a-firewall-or-a-proxy to understand that I might need to set a proxy.
By logging in to ip.zscaler.net I got the following details,
When I set the proxy like this and tried installing the browsers, I got the below error,
> set HTTPS_PROXY=https://165.225.120.33
> playwright install
Downloading Chromium 108.0.5359.29 (playwright build v1033) from https://playwright.azureedge.net/builds/chromium/1033/chromium-win64.zip
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 165.225.120.33 is not in the cert's list:
at new NodeError (node:internal/errors:387:5)
at Object.checkServerIdentity (node:tls:354:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1549:27)
at TLSSocket.emit (node:events:513:28)
at TLSSocket._finishInit (node:_tls_wrap:953:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) {
reason: "IP: 165.225.120.33 is not in the cert's list: ",
host: '165.225.120.33',
cert: {
subject: [Object: null prototype] {
C: 'US',
ST: 'California',
L: 'San Jose',
O: 'Zscaler, Inc.',
CN: '*.zscalerthree.net'
},
issuer: [Object: null prototype] {
C: 'US',
O: 'DigiCert Inc',
CN: 'DigiCert TLS RSA SHA256 2020 CA1'
},
subjectaltname: 'DNS:*.zscalerthree.net, DNS:gateway.zscalerthree.net, DNS:login.zscalerthree.net, DNS:zscalerthree.net',
infoAccess: [Object: null prototype] {
'OCSP - URI': [Array],
'CA Issuers - URI': [Array]
},
modulus: 'C8A77BED7A0117DE5EEAA9EA76DC501D02C41BA1239CC55E5F98347321B9E1098EF62C39EF36DB8D0329BE227B81D2A10F7EA828F0ADD63391F722B49755683727D8C397BDE7C9EFB8C07336F44C683B0F2308CB4875A880614570A1D36816F3B5671C7F5CB869CE1CCE6D12C8B0E39324BDCA7BB79CB0276EDE384476A3360116D1B1650E8BBB829515F547C2E61CF0FD35051532A774962F219F326DB2A61F4C84060F9BF77F14AAAFEF0B741F47D49318886423EC091D2BB6E9197B1FECF18CBC209204E9B0D227A41B3773414C2A0EB96F5264EA976D30041C912B4EE350678BDFE478188FE8957B9937EBFAC76A7FC50CBE159E8AF62AE86F5DF22F2701',
bits: 2048,
exponent: '0x10001',
pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c8 a7 7b ed 7a 01 17 de 5e ea a9 ea 76 dc 50 1d 02 ... 244 more bytes>,
valid_from: 'May 10 00:00:00 2022 GMT',
valid_to: 'Jun 10 23:59:59 2023 GMT',
fingerprint: 'D5:59:B6:14:19:46:68:95:DF:C2:97:6D:D5:7C:D7:CF:F4:BE:C8:6C',
fingerprint256: '9E:B3:88:55:74:88:C7:52:9D:39:FF:79:EF:D8:5B:57:F3:11:BB:ED:74:1D:EF:D5:9E:DC:21:00:94:20:7F:61',
fingerprint512: '87:EF:B4:FD:1C:7E:06:DD:69:4D:B3:51:61:65:4E:84:85:E3:BF:44:9E:4C:AB:BC:20:EE:15:74:79:C3:4B:5D:50:26:F7:B0:98:21:2F:BA:9A:FC:5D:E8:85:7C:A0:D5:1E:95:33:80:48:29:ED:5E:DA:9E:CD:AB:DE:69:CF:59',
ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
serialNumber: '0827612350F56C1E151398D61F719128',
raw: <Buffer 30 82 06 f9 30 82 05 e1 a0 03 02 01 02 02 10 08 27 61 23 50 f5 6c 1e 15 13 98 d6 1f 71 91 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4f 31 0b ... 1739 more bytes>,
issuerCertificate: {
subject: [Object: null prototype],
issuer: [Object: null prototype],
infoAccess: [Object: null prototype],
modulus: 'C14BB3654770BCDD4F58DBEC9CEDC366E51F311354AD4A66461F2C0AEC6407E52EDCDCB90A20EDDFE3C4D09E9AA97A1D8288E51156DB1E9F58C251E72C340D2ED292E156CBF1795FB3BB87CA25037B9A52416610604F571349F0E8376783DFE7D34B674C2251A6DF0E9910ED57517426E27DC7CA622E131B7F238825536FC13458008B84FFF8BEA75849227B96ADA2889B15BCA07CDFE951A8D5B0ED37E236B4824B62B5499AECC767D6E33EF5E3D6125E44F1BF71427D58840380B18101FAF9CA32BBB48E278727C52B74D4A8D697DEC364F9CACE53A256BC78178E490329AEFB494FA415B9CEF25C19576D6B79A72BA2272013B5D03D40D321300793EA99F5',
bits: 2048,
exponent: '0x10001',
pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1 4b b3 65 47 70 bc dd 4f 58 db ec 9c ed c3 66 e5 ... 244 more bytes>,
valid_from: 'Sep 24 00:00:00 2020 GMT',
valid_to: 'Sep 23 23:59:59 2030 GMT',
fingerprint: '69:38:FD:4D:98:BA:B0:3F:AA:DB:97:B3:43:96:83:1E:37:80:AE:A1',
fingerprint256: '25:76:87:13:D3:B4:59:F9:38:2D:2A:59:4F:85:F3:47:09:FD:2A:89:30:73:15:42:A4:14:6F:FB:24:6B:EC:69',
fingerprint512: '6A:6F:6D:A5:D4:7D:88:75:7F:16:85:37:23:19:8D:5A:D5:5F:4A:04:1E:1E:AA:52:00:AF:7F:10:54:80:0C:D4:A9:EA:73:4A:F8:76:3D:F1:20:9A:8C:E2:27:3D:C0:DB:BF:C7:66:73:1D:B5:11:7B:FC:66:D4:4D:B2:B7:00:9C',
ext_key_usage: [Array],
serialNumber: '0A3508D55C292B017DF8AD65C00FF7E4',
raw: <Buffer 30 82 04 ea 30 82 03 d2 a0 03 02 01 02 02 10 0a 35 08 d5 5c 29 2b 01 7d f8 ad 65 c0 0f f7 e4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 61 31 0b ... 1212 more bytes>,
issuerCertificate: [Object]
}
},
code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}
Any pointers?
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 32 (1 by maintainers)
You need to do the following,
set NODE_EXTRA_CA_CERTS=D:\caert.pemon command line (or$env:NODE_EXTRA_CA_CERTS = 'D:\caert.pem'in Powershell).playwright installcommand should work properly.On top of above cacert.pem made ready, you need to do the below to make playwright to install browsers without errors. `npm config set strict-ssl=false
npm config set registry http://registry.npmjs.org/
npm config set cafile /path/to/your/cert.pem
set NODE_TLS_REJECT_UNAUTHORIZED=0`
Got to resolve this in VM with firewall protection. With Zscaler, if issues exists, please update policy in it and rerun the above.
@ResiakA, please click on the lock icon as indicated below.
Next, select “Connection is secure” menu item (this is Edge specific. You will see something similar in Chrome or Firefox)
Now click on the certificate icon,
You should see a certificate viewer as below. Click on the details tab,
Now select each certificate in the tree starting from root and click export to export those certificates (in your case the presented certificates will be different from the below screenshot),
Once exported, you will need to follow the instructions in my earlier comments to append those certificates in a single file and use it as an additional certificate store for the Node.js.
Hi, I am currently similar issue in downloading the browsers and trying to download the certificates but I could only download certificate named “Cisco Umbrella Root CA”.
At 2:51 AM, this finally worked for me. Thanks for saving me !
Looks like I got the solution. Indeed it is Node.js not finding the certificate. The below commands solved the issue,
Thanks to the below Q&A, https://stackoverflow.com/questions/29283040/how-to-add-custom-certificate-authority-ca-to-nodejs