the proxy of my company transforms certificates, which brings "CERT_UNTRUSTED" errors.
Is it possible to add an option to Bower to continue in spite of this?
Hmm are you getting this when hitting git? or the registry?
Hi, it occurs when hitting Github.
I also tried adding the following parameter, without success : GIT_SSL_NO_VERIFY=1
Hmm.. If you solve the same issue using git directly in the command line, you should fix bower too
@fpetitit did you managed to solve it?
Relevant to solving this http://stackoverflow.com/questions/12537763/git-ssl-without-env-git-ssl-no-verify-true.
We should do a git config on the GitResolver based on strict-ssl rc config.
I just ran into this with our company's SSL setup too. For me, it was happening when hitting the registry. I was able to get around it by changing the endpoint URL from HTTPS to HTTP in my ~/.bowerrc:
But this obviously isn't ideal from a security perspective, since it's not using HTTPS. I have a custom system-wide CA certs bundle file that properly sets up our company's SSL interceptor as a trusted source. Tools like git and curl seem to read from that, but does anyone know how to point bower to a custom CA certs file? Or this might be a more general nodejs issue, since I haven't had much luck with any nodejs tools and our company's SSL setup.
Fixed in the rewrite with the strict-ssl config.
Actually this is probably not solved for git endpoints, only for the registry.
@fpetitit can you give us an update on this?
Closing due to lack of feedback.
I still have this problem. I'm also behind a corporate proxy.
This breaks bower, and also yeoman. :-(
Even though I set the bower endpoint to http, bower seems to try https
error Request to https://bower.herokuapp.com/packages/mocha failed: CERT_UNTRUSTED
Bower version: 1.3.6
Node version: 0.10.26
OS: Darwin 13.2.0 x64
you can try setting this in .bowerrc:
@hypery2k That worked for me cheers.
I already had http.sslverify=false in my git global config. If that helps anyone else with proxy issues.
Worked for me as well, 10x @hypery2k
+1 @hypery2k. Thanks
This is still an issue for me. I need to use custom CA certs to be able to verify SSL for bower. I have gotten it to work with npm and other repository managers that allow CA definition. It appears that bower is not taking the config file nor command line options for defining the CA to be used and ends up rejecting on CERT_UNTRUSTED.
Note: SSL is important to me and I'd like to avoid simply rejecting it, as recommended above.
I am not aware of my company MitM-ing our connections but we have to use the .bowerrc file listed above to get it to work on some of our machines. Most of the dev boxes don't seem to have this issue but our servers do. I'm still a little confused to why github seems to be having this issue. I've read through the above comments but I can't imagine why github, of all places, would have HTTPS issues with bower....
My company just put a MitM proxy on us as well and we're hitting this now. The .bowerrc file mentioned above does seem to work around it though. Thank you.
By "fix", you mean "workaround" right? The workarounds above suppress SSL checking. The true fix would be for the bower config file's ca and command line's --config.ca to actually recognize the CA that I would like to point to. bower's doucmentation claims that it does this, but it does not.
Yes, I've updated my comment. We've 'fixed' the problem now by getting IT to take this network off of their proxy list. So we are no longer going through the MitM proxy and have removed the disabling of SSL checking.
Even add ca in .bowerrc do not solve the issue.
Configuration seems simply ignored... or not enough in order to have bower believing in this certificate.
Please reopen. strict-ssl false is wrong way to fix. It's unsecure.
PR with fix is welcome
I need a fix too. Its not possible to add a certificate to bower!
Given that Bower uses request, looking at the documentation, it seems that the ca option should contain the contents of the certificate file, not a path to it. If I modify my .bowerrc to contain the full certificate contents (with newlines, BEGIN and END CERTIFICATE and all), registry lookups now work.
As for pulling in tar balls, there are still issues, in our case because GitHubResolver does not pass the ca option. Adding the ca option there makes Bower work for us behind the proxy with its custom root CA and strict-ssl enabled.
I would be happy to issue a pull request, but how should this work? I assume the ca option in .bowerrc should be a path to a file? How do people use this currently?
I got bower to work by using this command:
git config http.sslVerify "false"
As mentioned above that's only a workaround.
For anyone else working from behind a proxy with its own root CA, these are our settings (setting strict-ssl to true just to make clear what works, this should be the default everywhere):
Export your company's root CA certificate to some location on your local file system, CA_FILE. You can also append it to some existing CA bundle file, CA_BUNDLE.
We use the HTTPS_PROXY environment variable for the proxy config, including user credentials.
Strictly not linked to bower, but as you will probably use this too:
npm config set --global cafile $CA_FILE
npm config set --global strict-ssl true
Not everything works 100% but there are no blocking issues here.
In ~/.bowerrc we have:
After something like #1869 we can make this (truncated certificate contents):
"ca": "-----BEGIN CERTIFICATE-----\nkjhDKUFKJS...jfdhH==\n-----END CERTIFICATE-----\n"
And then after bower/config#28 we can make it (using the actual value of $CA_FILE or $CA_BUNDLE):
git config --global http.sslverify true
git config --global url.https://.insteadOf git://
git config --global http.sslCAInfo $CA_BUNDLE
Please add the "strict-ssl" configuration entry to the .bowerrc documentation ( http://bower.io/docs/config/ ). It solved my problem.