This repository has been archived by the owner. It is now read-only.

SELF_SIGNED_CERT_IN_CHAIN (Corporate Overlords SSL-intercepting proxy) #9282

Closed
mrjcleaver opened this Issue Aug 14, 2015 · 5 comments

Comments

Projects
None yet
7 participants
@mrjcleaver

After reading all the related issues I could, e.g. #7439 (comment) #9195 #8125 #7547 #7519 I thought I'd answer about what if you are on a corporate network that interjects a self-signed SSL certificate (such as http://packetpushers.net/using-ssl-intercept-with-adcs-firewalls-to-inspect-clean-encrypted-traffic/ ) but doesn't give you a proxy to work around it.

So, I was going to write this into https://github.com/npm/npm/wiki/Troubleshooting#ssl-intercepting-proxy
but then (frustratingly) I couldn't quite get the last bit to work. I'm putting it here in the hope someone knows how to complete it.

Corporate Overlord SSL-intercepting proxy

To cut a long story short, the self-signed certificate needs to be installed into npm to avoid SELF_SIGNED_CERT_IN_CHAIN:

INSTALL openssl

PS c:\> choco install openssl.light
PS c:\> openssl.exe s_client -connect registry.npmjs.org:443

GET CERTIFICATE

PS C:\> Write-Output "\n" | openssl.exe s_client -showcerts -connect registry.npmjs.org:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.crt

(hit ctrl-z)

The following text courtesy of Alex Taylor on http://stackoverflow.com/posts/30341389/revisions

npm config set cafile = ""
I think that's everything I know about getting npm to work behind a proxy/firewall. May someone find it useful.

Edit: It's a really common suggestion to turn off HTTPS for this problem either by using an HTTP registry or setting NODE_TLS_REJECT_UNAUTHORIZED. These are not good ideas because you're opening yourself up to further man-in-the-middle or redirection attacks. A quick spoof of your DNS records on the machine doing the package installation and you'll find yourself trusting packages from anywhere. It may seem like a lot of work to make HTTPS work, but it is highly recommended. When you're the one responsible for allowing untrusted code into the company, you'll understand why.

Here's the error:

PS C:\Users\martin\ssl> openssl.exe s_client -connect registry.npmjs.org:443 -cert .\cert.crt
unable to load client certificate private key file
4336:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:648:Expecting: ANY PRIVATE KEY

PS C:\Users\martin >  npm install -g yo hubot-hipchat --ca=null --verbose
npm info it worked if it ends with ok
npm verb cli [ 'C:\\Program Files\\nodejs\\\\node.exe',
npm verb cli   'C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js',
npm verb cli   'install',
npm verb cli   '-g',
npm verb cli   'yo',
npm verb cli   'hubot-hipchat',
npm verb cli   '--ca=null',
npm verb cli   '--verbose' ]
npm info using npm@2.11.3
npm info using node@v0.12.7
npm verb install initial load of C:\Users\cleavm2\AppData\Roaming\npm\package.json
npm verb readDependencies loading dependencies from C:\Users\martin\AppData\Roaming\npm\package.json
npm verb cache add spec yo
npm verb cache add spec hubot-hipchat
npm verb addNamed "*" is a valid semver range for yo
npm verb addNameRange registry:https://registry.npmjs.org/yo not in flight; fetching
npm verb addNamed "*" is a valid semver range for hubot-hipchat
npm verb addNameRange registry:https://registry.npmjs.org/hubot-hipchat not in flight; fetching
npm verb request uri https://registry.npmjs.org/hubot-hipchat
npm verb request no auth needed
npm info attempt registry request try #1 at 4:40:54 PM
npm verb request id 24ba5040d018d817
npm verb etag "ELBJWHL7H17UUZV869V5DKAT6"
npm http request GET https://registry.npmjs.org/hubot-hipchat
npm verb request uri https://registry.npmjs.org/yo
npm verb request no auth needed
npm info attempt registry request try #1 at 4:40:54 PM
npm verb etag "EZZBRRMEY8EPDCRVYEESNK1Y5"
npm http request GET https://registry.npmjs.org/yo
npm info retry will retry, error on last attempt: Error: certificate not trusted
npm info retry will retry, error on last attempt: Error: certificate not trusted

@rictic rictic referenced this issue in googlearchive/polyup Oct 28, 2015

Closed

Install issue #105

@jongiddy

This comment has been minimized.

Show comment
Hide comment
@jongiddy

jongiddy May 11, 2016

On a Linux VM (hosted on a Windows machine behind an SSL-intercepting proxy), I get secure access to work using (as root):

npm config set cafile "/path/to/CA.crt"
npm config set proxy http://10.1.1.100:8080
npm config set https-proxy http://10.1.1.100:8080

No equals-sign and name SSL certificate path directly rather than using "".

On a Linux VM (hosted on a Windows machine behind an SSL-intercepting proxy), I get secure access to work using (as root):

npm config set cafile "/path/to/CA.crt"
npm config set proxy http://10.1.1.100:8080
npm config set https-proxy http://10.1.1.100:8080

No equals-sign and name SSL certificate path directly rather than using "".

@JerinJ

This comment has been minimized.

Show comment
Hide comment
@JerinJ

JerinJ Jul 5, 2016

Even i faced same issue while doing any npm install -g XXX command, it was resolved by npm config set strict-ssl false

JerinJ commented Jul 5, 2016

Even i faced same issue while doing any npm install -g XXX command, it was resolved by npm config set strict-ssl false

@jg210

This comment has been minimized.

Show comment
Hide comment
@jg210

jg210 Aug 30, 2016

This makes some suggestions, only a few are specific to appium-selendroid-driver:

appium/appium-selendroid-driver#24 (comment)

jg210 commented Aug 30, 2016

This makes some suggestions, only a few are specific to appium-selendroid-driver:

appium/appium-selendroid-driver#24 (comment)

@sreejit167

This comment has been minimized.

Show comment
Hide comment
@sreejit167

sreejit167 Dec 1, 2016

It worked for me with JerinJ's comment Thanks a million... 👍

It worked for me with JerinJ's comment Thanks a million... 👍

@npm-robot

This comment has been minimized.

Show comment
Hide comment
@npm-robot

npm-robot Jun 17, 2017

We're closing this support issue as it has gone three days without activity. The npm CLI team itself does not provide support via this issue tracker, but we are happy when users help each other here. In our experience once a support issue goes dormant it's unlikely to get further activity. If you're still having problems, you may be better served by joining package.community and asking your question there.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

We're closing this support issue as it has gone three days without activity. The npm CLI team itself does not provide support via this issue tracker, but we are happy when users help each other here. In our experience once a support issue goes dormant it's unlikely to get further activity. If you're still having problems, you may be better served by joining package.community and asking your question there.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.