[Fixed] NPM Error: SSL DECRYPTION FAILED OR BAD RECORD MAC

Introduction

When working remotely and using NPM to install packages, I occasionally come across connectivity issues. These issues can be of SSL errors.

Recently when I was creating new React app, I came across the error:

ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC

This happened when I ran the command:

npx create-react-app first-app

A more verbose error log looks like the following:

npx create-react-app first-app

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...

npm ERR! code ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
npm ERR! 10104:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:677:
npm ERR!

npm ERR! A complete log of this run can be found in:

Similar issue on Windows Server 2016

If you are using Windows Server (specifically in my case, I was using 2016), a similar error might look something like this after you run a npm install

npm install
npm ERR! code ERR_SSL_WRONG_VERSION_NUMBER
npm ERR! 8160:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:308:
npm ERR!

What does ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC mean?

So what does this error ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC mean anyway?

If you haven’t dealt with NPM before, this doesn’t really mean much and doesn’t tell you anyway to fix it!

“ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC” is an SSL-related error that indicates an issue with the decryption of data or a mismatch in the message authentication code (MAC) during an SSL/TLS handshake.

This error may occur when you are trying to use npm install to download packages.

Steps to fix this error

1. Check your network connection
2. Make sure that there are no antivirus or firewall blocking NPM
3. If you are behind a corporate proxy, make sure to check proxy settings
4. Use the strict-ssl=false flag
5. Remove cache, node_modules folder and package-lock.json and install again

1. Check your network connection

The first thing to test is to make sure that we have a stable connection.

There are two options we can go forward with. One is the Ping test - to test our connection stability, and the other is the internet speed test.

To do the Ping Test:

1. Open the command prompt (Windows) or terminal (macOS/Linux) and run the following command:

ping google.com -t

The -t flag is mainly for Windows and tells the command to run continuously until cancelled by the user (using Ctrl + C).

If you are on macOS and Linux, the ping command runs continuously by default, so you don’t need a -t flag. To stop the ping process on macOS and Linux, press CTRL + C.

If you have a stable internet connection, you will see a consistent reply from google and with no packet loss errors:

Pinging google.com [142.250.66.238] with 32 bytes of data:
Reply from 142.250.66.238: bytes=32 time=27ms TTL=117
Reply from 142.250.66.238: bytes=32 time=14ms TTL=117
Reply from 142.250.66.238: bytes=32 time=8ms TTL=117
Reply from 142.250.66.238: bytes=32 time=9ms TTL=117
Reply from 142.250.66.238: bytes=32 time=8ms TTL=117
Reply from 142.250.66.238: bytes=32 time=7ms TTL=117
Reply from 142.250.66.238: bytes=32 time=16ms TTL=117

The above results says displays a summary of the ping results, including the number of packets sent, received, lost, and the approximate round-trip times.

Now if you have a stable connection, the next thing to test is your internet speed:

Visit an online speed test website like speedtest.net, fast.com, or Google’s speed test. These services measure your download and upload speeds, as well as latency.

Run the test to see if the results are consistent with your internet plan - eg anything above 10 Megabits per second is good in my books.

Keep in mind that your connection can also depend on factors such as:

• Your Wifi signal strength,
• The number of people using the network - eg is someone downloading a large movie
• Your hardware such as your router, modem or network interface card (NIC)

2. Make sure that there are no antivirus or firewall blocking NPM

One reason why SSL cert errors like ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC comes up is that the firewall is blocking your node install.

To solve this problem, we just need to add a enable firewall rule for NodeJS.

On Windows:

1. Search Windows Defender Firewall in the search bar.

2. Go to Allow an app or feature through Windows Defender Firewall.

3. Click on Change settings.

4. Now look for the Node.js runtime (.exe), it should look like something below:

5. Select/ check the Node application to allow it past the firewall. Choose between checking Public or Private (or both - depends on your network configuration).

6. Click OK and hopefully the problem should have been fixed!

Help: I can’t see Node.js!

If you don’t have Node.js JavaScript Runtime in the list, you can following the below steps:

1. Click on Allow another app button at the bottom of the popup window
2. Click on Browse
3. Find the location of your node.exe file. The default path: C:\Program Files\nodejs. If you have NVM installed, the path may be different. Click on Add after you found node.exe.
4. Then go through step 1 onwards.

3. If you are behind a corporate proxy, make sure to check proxy settings

After we have cleared the existing proxy settings, we first need to make sure that we set the registry:

npm config set registry https://registry.npmjs.org/

Now set the new proxy settings with the following commands. Replace the proxyname with your corporate proxy URL.

npm config set proxy http://username:password@proxyname:8080

npm config set https-proxy http://username:password@proxyname:8080

Keep in mind that when you are using username and password, they need to be encoded. For example, if your password is: Welcome@12# then it will be like Welcome%4012%23.

Additionally, with your username, you may need to also include the domain name + username aswell.

For example, lets say we work at a company with domain BIGCORP and your username is johnnyweekend with password Welcome@12#, then your NPM proxy config might look something like this:

npm config set proxy http://bigcorp\\jonnyweekend:Welcome%4012%23@bigcorpproxy:8080

Tip: Check your corporate proxy settings and make sure that they are not blocking NPM registry

Check with your corporate network team that the proxy is not blocking the following URL: https://registry.npmjs.org

4. Use the strict-ssl=false flag

If you are unable to obtain the registry’s SSL certificate or are still experiencing issues after adding it to your trusted list, you can temporarily disable strict SSL checking by running the following command:

npm config set strict-ssl false

Note that disabling strict SSL checking can leave your system vulnerable to man-in-the-middle attacks, so it should only be used as a temporary workaround. Once you have resolved the SSL certificate issue, be sure to re-enable strict SSL checking by running:

npm config set strict-ssl true

5. Remove cache, node_modules folder and package-lock.json and install again

Tip: Try clear NPM cache

We can try running npm cache clear --force to clear the NPM cache. If this does not work - proceed to step 2

2. We need to delete the /node_modules with the following command (you might need to use sudo before each command):

rm -rf node_modules

3. Delete package-lock.json file using the rm command:

rm -rf package-lock.json

4. Install the dependencies using the following command:

npm install

Summary

In this post, I went over the issue of ERR_SSL_DECRYPTION_FAILED_OR_BAD_RECORD_MAC. This error usually means that we are using NPM to download the packages from the repository (eg https://registry.npmjs.org) there was an error at SSL/TLS handshake.

Specifically, the decryption of the required package data or a mismatch in the message authentication code (MAC) was failing.

This issue can be narrowed down to a few possibilities. Firstly it could be that you are not on a stable and fast connection, you have antivirus or a firewall block the connections. The other reason could be that you are behind a corporate proxy and that is messing up the SSL certs that should of been exchanged.

To fix this issue, we can try to reinstall everything, clearing the cache, using the strict-ssl=false NPM flag and verifying that we have a stable/fast connection and checking that no software is blocking our NPM calls.