Self signed certificate in certificate chain error

[roby2001]

Hey,

I'm trying to move from npm to yarn. I've installed yarn and set up the following config variables : http-proxy , https-proxy and strict-ssl : false.

When I try to yarn, at step [1/4] Resolving packages I get the following error :

error self signed certificate in certificate chain
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1057:38)
    at emitNone (events.js:67:13)
    at TLSSocket.emit (events.js:166:7)
    at TLSSocket._finishInit (_tls_wrap.js:596:8)

As far as I know websockets don't work behind my corporate proxy. Any workarounds ?

[vbfox]

Looks the same as #841 ssl settings (like CA or strict ssl) don't work yet 😢

[roby2001]

@vbfox Thanks! Will follow that post.

[sebmck]

We've merged support for cafile and strict-ssl so this issue should be resolved.

[ptrstpp950]

@kittens in which version it is or will be released?

[TheNicholasNick]

working now in yarn v0.16.0

[tommck]

I still get this error with 0.16.1

[klauern]

Same here. I tried just the cafile option, then added the strict-ssl option and I'm still getting the following from yarn-error.log:

 C:\Program Files\nodejs\node.exe C:\Users\Me\AppData\Roaming\npm\node_modules\yarn\bin\yarn.js add vue

PATH: ....

Yarn version:
  0.16.1

Node version:
  6.1.0

Platform:
  win32 x64

npm manifest:
  {
    "name": "...",
    "version": "1.0.0",
    "description": "...",
    "main": "index.html",
    "author": "Nick Klauer ...",
    "license": "MIT"
  }

yarn manifest:
  No manifest

bower manifest:
  No manifest

Lockfile:
  No lockfile

Trace:
  Error: self signed certificate in certificate chain
      at Error (native)
      at TLSSocket.<anonymous> (_tls_wrap.js:1055:38)
      at emitNone (events.js:86:13)
      at TLSSocket.emit (events.js:185:7)
      at TLSSocket._finishInit (_tls_wrap.js:580:8)
      at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:412:38)

[mmrath]

Looks like it works when I specify the config in .yarnrc but not from command line

[cgatian]

For me calling yarn config set "strict-ssl" false from the CLI updated strict-ssl to a string value in the JSON file, not a boolean. If you open up your .yarnrc (located in \Users\ in Windows) and update to the following, it works.

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
strict-ssl false

[jeffbski]

I also found that if I duplicated the strict-ssl and other config from .npmrc into .yarnrc then things started working (or use yarn config set to add each part). I'm not sure why it didn't pick it up from .npmrc.

[damiandennis]

not working anymore in 0.23.3

[rmanivannan]

same with v0.27.5 aswell

error An unexpected error occurred: "https://registry.npmjs.org/babel-polyfill: self signed certificate in certificate chain". info If you think this is a bug, please open a bug report with the information provided in "/Users/****/yarn-error.log". info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

[danielmhair]

I had this same type of error. Doing yarn config set "strict-ssl" false resolved the issue for me. Thanks @cgatian

[monicapeddi021]

I can't find .yarnrc file in C:/Users. Pls let know how can I create it.
@cgatian @danielmhair

[danielmhair]

@monicapeddi021 I never created the file myself. I simply went to the command line and ran yarn config set "strict-ssl" false

[texdc]

@danielhusar I just tried yarn config set "strict-ssl" false, but it didn't work:

$ yarn --version
1.3.2

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://nexus.our-private.zone/repository/private-repo/"
lastUpdateCheck 1519057517516
strict-ssl false

[ronaldomoreira]

I had the same problem on windows 10.

open windows powerShell and enter the following command:

`npm config set registry http://registry.npmjs.org/`

Then you can use:

npm install [your package]

[CosmosHannah]

I had this same type of error. Doing yarn config set "strict-ssl" false resolved the issue for me. Thanks @cgatian

Yes, I have the same error when running yarn install. That commend works for me too. :)

[Exadra37]

Recommending to set strict-ssl to false is like leaving home with doors and windows open, and say come in and take all you want ;)

Please don't work around issues, and instead fix them properly.

So enable ssl strict:

yarn config set strict-ssl true

And then tell yarn where to find the certificate file:

yarn config set cafile /path/to/certificate/file

[cgatian]

Works great if you have the certificate. How do you fix without?

[Exadra37]

Works great if you have the certificate. How do you fix without?

When you get this error is because your computer is not able to communicate directly with the url being requested, maybe because your are behind a corporate firewall or proxy that uses a custom self signed certificate, therefore in either cases you need to ask the administrator of your network to provide you the certificate.

[FranklinYu]

@cgatian Typically you have access to the certificate (you simply don’t know how to download it). Most registry software support TLS.

[Nathan187]

@Exadra37 where is the certificate file? how do i know it exists, etc?

[Exadra37]

@Nathan187 you need to ask your Network Administrator to give you the file and then tell yarn where you have placed it.

[valenfv]

I tried yarn config set cafile /path/to/certificate/file but didn't work either....

[sabersalhi16]

i had some on macOS bigsur i disabled the proxy it fixed my issue

[charles-at-office]

On Ubuntu 20.04, use yarn config set cafile /etc/ssl/certs/ca-certificates.crt, after adding the CA to /etc/ssl/certs/ and running update-ca-certificates.

[ad34]

this issue is back since I upgraded to yarn 3, setting yarn config set enableStrictSettings false does not fix the issue

[kenmlee]

for yarn v2/3, run:

yarn config set enableStrictSsl false

[jakeboone02]

For anyone who couldn't get any of the solutions mentioned in this thread to work, the only thing that ended up working on my work computer was to get the certificate file from my IT department then set the NODE_EXTRA_CA_CERTS environment variable to the path to that file. (I also had strict-ssl set to false but I'm not sure if that was necessary.)

[Exadra37]

(I also had strict-ssl set to false but I'm not sure if that was necessary.)

You are running in insecure mode now, thus defeating the security that your IT department wants to enforce company wide.

[jakeboone02]

(I also had strict-ssl set to false but I'm not sure if that was necessary.)

You are running in insecure mode now, thus defeating the security that your IT department wants to enforce company wide.

Right, I understand that and certainly didn't mean to imply that I was recommending setting strict-ssl to false. I was just clarifying my setup at the time in case anyone gets in the same situation in the future.

[Exadra37]

I was just clarifying my setup at the time in case anyone gets in the same situation in the future.

So, you are indeed recommending/endorsing a poor security solution by saying this.

[jakeboone02]

So, you are indeed recommending/endorsing a poor security solution by saying this.

This is a completely unnecessary and clearly false accusation. I made it clear in #980 (comment) that I thought the strict-ssl false setting may not even be relevant, much less recommended. Then I explicitly stated in #980 (comment) that I "certainly didn't mean to imply that I was recommending" it. Admitting I did something dangerous doesn't imply that I think anyone else should do the same thing.

[john8329]

Yarn relies on Node. As mentioned by @jakeboone02, node has an environment variable for adding a custom CA to the existing ones, without replacing:
export NODE_EXTRA_CA_CERTS="$HOME/.my-ca.crt".

Set this to your .zshenv or .bashrc and it should work. I find it very clean and modular. Do NOT disable strict-ssl, it completely throws off security.
Posting this in case somebody else stumbles on this and still has doubts.

[thedamon]

We had this happen to some users only on Windows for a few packages and I definitely don't understand what cert is supposed to be where

[maxpetts]

Had to use: yarn config set enableStrictSsl false, as strict-ssl config name seems to have changed.

[aep-sunlife]

Same issue in yarn 4.5.0. Do not advise disabling SSL.

That's apart from corepack's own problems integrating with proxies and self signed certificate chains.