node-gyp: Error: self signed certificate in certificate chain

node-gyp doesn’t use the npm registry, it downloads the tarball from https://nodejs.org/.

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 in the environment will disable verification but you are setting yourself up for a MitM attack. Closing, not a bug but a feature.

from command line you can do: set NODE_TLS_REJECT_UNAUTHORIZED=0 npm install [mypackage]

why close this? it seems to be a pretty common issue for a lot of people downloading packages that require node-gyp, and I just installed newest nodejs and npm and am still getting this issue. Using the NODE_TLS_REJECT_UNAUTHORIZED=0 may work, but it is a hack fix.

Same problem. It doesn’t seem to be respecting my global configuration settings for some reason. basically impossible to install behind a corporate proxy.

Can this be helpful? git config --global http.sslVerify false

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

The problems occur because the install scripts for those packages call node under the hood. When this happens, the proxy / cafile settings for npm are not always respected.

To work around this without disabling ssl completely, you can try this:

npm config set cafile /path/to/your/cert.pem --global
export NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem
npm install

I am on RHEL7 and I tried export NODE_TLS_REJECT_UNAUTHORIZED=0 but still getting SELF_SIGNED_CERT_IN_CHAIN error. The two modules that are failing to install are bcrypt and libxmljs.

> libxmljs@0.17.1 install /lib/node_modules/libxmljs
> node-gyp rebuild

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.36"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/lib/node_modules/libxmljs/.node-gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: SELF_SIGNED_CERT_IN_CHAIN
gyp ERR! stack     at SecurePair.<anonymous> (tls.js:1381:32)
gyp ERR! stack     at SecurePair.emit (events.js:92:17)
gyp ERR! stack     at SecurePair.maybeInitFinished (tls.js:980:10)
gyp ERR! stack     at CleartextStream.read [as _read] (tls.js:472:13)
gyp ERR! stack     at CleartextStream.Readable.read (_stream_readable.js:341:10)
gyp ERR! stack     at EncryptedStream.write [as _write] (tls.js:369:25)
gyp ERR! stack     at doWrite (_stream_writable.js:226:10)
gyp ERR! stack     at writeOrBuffer (_stream_writable.js:216:5)
gyp ERR! stack     at EncryptedStream.Writable.write (_stream_writable.js:183:11)
gyp ERR! stack     at write (_stream_readable.js:602:24)
gyp ERR! System Linux 3.10.0-327.10.1.el7.x86_64
gyp ERR! command "node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /usr/lib/node_modules/libxmljs
gyp ERR! node -v v0.10.36
gyp ERR! node-gyp -v v3.3.0
gyp ERR! not ok
npm ERR! Linux 3.10.0-327.10.1.el7.x86_64
npm ERR! argv "node" "/usr/bin/npm" "install" "-g" "libxmljs"
npm ERR! node v0.10.36
npm ERR! npm  v3.8.1
npm ERR! code ELIFECYCLE

Unfortunately where I work no proxy is provided so these variables don’t help. My company plays man in the middle and injects certs and there is nothing I can do about it.

in command line in folder with NPM use this: npm config set strict-ssl false

“Works” in the sense that it undermines TLS. It’s a useful temporary hack and troubleshooting option, but an irresponsible long-term setting. https://www.npmjs.com/browse/keyword/NODE_TLS_REJECT_UNAUTHORIZED = “insecure”

On Wed, Mar 22, 2017, 02:34 Rahul Bisht notifications@github.com wrote:

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nodejs/node-gyp/issues/695#issuecomment-288344499, or mute the thread https://github.com/notifications/unsubscribe-auth/AH8mJ4szCuQ0Zp27LUcl14CdhRk0Jccxks5roOshgaJpZM4FuPvh .

Excuse my ignorance but how do you use NODE_TLS_REJECT_UNAUTHORIZED=0

I’m on Windows using cmd

Do I set this in the: npm confit set NODE_TLS_REJECT_UNAUTHORIZED=0

Have the same problem with node 4.1 and node-gyp 3.0.3:

gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1000:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:567:8)
gyp ERR! System Windows_NT 6.1.7601
gyp ERR! command "C:\\Program Files (x86)\\nodejs\\node.exe" "C:\\Program Files (x86)\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "configure" "--fallback-to-build" "--module=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32\\debug.node" "--module_name=debug" "--module_path=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32"
gyp ERR! cwd C:\Users\user\AppData\Roaming\npm\node_modules\node-inspector\node_modules\v8-debug
gyp ERR! node -v v4.1.0
gyp ERR! node-gyp -v v3.0.3
gyp ERR! not ok

Windows users: Having cafile=C:\path\to\my\companys\cafile.pem did not work. However removing that line and setting the environment variable below did work:

SET NODE_EXTRA_CA_CERTS=C:\\path\\to\\my\\companys\\cafile.pem

For noobs like me: the .pem file is just the base64 encoded certificates (.cer) of your proxy’s CA root (and intermediate).

No, because I don’t want to disable all certificate validation. Decrypting network hardware (substituting their local certs) are used in high-security environments, and accepting every certificate from any source would radically undermine that.

This would be much better addressed by fixing https://github.com/nodejs/node/issues/3159.

Playing whack-a-mole with npm, Atom, VS code, cUrl, Firefox, &c, &c, &c each using their own cert store when the OS supplies one is an unmanageable mess.

If that’s not immediately supported, a standard cafile environment variable that’s honored by all parties would at least help.

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

Not working for me, I used following command to se

set NODE_TLS_REJECT_UNAUTHORIZED=0

Can you tell me what more needs to be done ?

Linux

export NODE_TLS_REJECT_UNAUTHORIZED=0

Windows

set NODE_TLS_REJECT_UNAUTHORIZED=0

i found this comment on another issue and it seems to work https://github.com/nodejs/node-gyp/issues/448#issuecomment-44061248. just set that environment variable. This is a hacky work around though, node-gyp should respect npmrc.

On npm

On Node Package Manager you have two options: bypass or set a certificate file. Bypassing (risky!) npm config set strict-ssl false --global Setting a certificate file npm config set cafile /path/to/your/cert.pem --global

It looks like that error may be thrown also with nodemailer. In my situation with sails my services/EmailService.js was throwing the error upon lift and on send… this stack fixed both issues.

Sorry for the highjack but this thread owns “Error: self signed certificate in certificate chain” in google search

Since node-gyp is a tool for nodejs, but not resides inside of nodejs, I can fully understand why it should not use the node/npm configs for setting the network environment. But I must also agree with the others, that node-gyp should provide it’s (optional) own config file, because in my case the system proxy environment is not enough, too: My company’s proxy also established a MitM scenario, so I need a strict-ssl=false.

The ‘workaround’ with NODE_TLS_REJECT_UNAUTHORIZED=0 works, but it is not very user friendly:

• not well documented
• every developer has always to setup his own environment especially for node-gyp
• counter-intuitive if other equivalent tools (in terms of downloading stuff) have a config file for this setting like bower, npm, Atom, etc

on windows, version v16.16.0. those are not working Set NODE_TLS_REJECT_UNAUTHORIZED=0 SET NODE_EXTRA_CA_CERTS=C:\path\to\my\companys\cafile.pem

Is there a way to specify where the file should be downloaded from or do I have to hack the hosts file to avoid this blocking issue ?

None of the other methods worked for me (see https://github.com/nodejs/node-gyp/issues/695#issuecomment-1485089294), but this command finally solved the problem (on Windows 11): $env:NODE_EXTRA_CA_CERTS="C:\path\to\certificate.crt"

node-gyp and npm now work without any problems.

I was facing the same issue and realize that the request is actually blocked by firewall. So make sure that the request is accessible from the browser.

env export NODE_TLS_REJECT_UNAUTHORIZED=0 worked for me too!

Hi,

i just can’t install keytar because node-gyp rebuild fails with this problem:

I’ve tried

• Set NODE_TLS_REJECT_UNAUTHORIZED=0
• SET NODE_EXTRA_CA_CERTS=C:\path\to\my\companys\cafile.pem
• uninstall/install angular

I do not know what I can try beyond this.

Can anyone recommend a solution?

Try uninstalling Angular/cli first and installing node-gyp and then try reinstalling Angular cli

npm uninstall -g @angular/cli
npm install -g node-gyp
npm install -g @angular/cli

It worked perfectly

Windows users: Having cafile=C:\path\to\my\companys\cafile.pem did not work. However removing that line and setting the environment variable below did work:

SET NODE_EXTRA_CA_CERTS=C:\\path\\to\\my\\companys\\cafile.pem

For noobs like me: the .pem file is just the base64 encoded certificates (.cer) of your proxy’s CA root (and intermediate).

1. Did you used double slash in path?
2. Is it required to be exactly .pem extension or base64 encoded .cer just fine?
3. Did you used npmrc file?

I used Set NODE_TLS_REJECT_UNAUTHORIZED=0 and npm config set strict-ssl false

worked for me

setting NODE_TLS_REJECT_UNAUTHORIZED=0 works

Not working for me, I used following command to se

set NODE_TLS_REJECT_UNAUTHORIZED=0

Can you tell me what more needs to be done ?

your issue is not exactly what is being discussed in this thread and your settings in the npmrc file have not affect on how nodejs is operating… You can use the solutions mentioned above to “fix” your issue.

I work in an environment where our proxies also use this self-signed cert substitution technique. Is there a particular reason to not expect security appliance vendors and operators to start using signed certificates for their appliances? I think the only way we will see a change in behavior is to continue to place that expectation on the vendors and operators. And it’s not just Node that has these “issues” dealing with self-signed certs. Every application I support that interacts with the internet is a headache because of this.

so there is now a command line option to provide ca file … any idea how to engage that when node-gyp is getting called by the NPM install process? i’m not the one calling node-gyp, npm is, via the project file of the module being installed. the solution seems to remain the NODE_TLS_REJECT_UNAUTHORIZED=0 hack.