[Fixed] NPM err_tls_cert_altname_invalid
Steps to get rid of NPM err_tls_cert_altname_invalid errors
Apr 9, 2023 | Read time 8 minutes🔔 Table of contents
Introduction
A common bane of working with front end or backend Node apps is some random SSL certificate issue that comes up.
Recently I got the the following error of: ERR_TLS_CERT_ALTNAME_INVALID
when trying to install a Angular app that I recently cloned.
A more verbose error looks like the following:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: api.mydomain.com. is not in the cert's altnames: mydomain.com, DNS:www.mydomain.com
at Object.checkServerIdentity (tls.js:283:12)
at TLSSocket.onConnectSecure (_tls_wrap.js:1331:27)
at TLSSocket.emit (events.js:223:5)
at TLSSocket._finishInit (_tls_wrap.js:794:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
reason: "Host: api.mydomain.com. is not in the cert's altnames: mydomain.com, DNS:www.mydomain.com"
I was scratching my head… why me??
From the looks of the error, it seems like the like is due to something around SSL hostnames.
In our case (I have omitted the domains), our certificate only contains the hostnames:
- mydomain.com
- www.mydomain.com
However, since the client is trying to request api.domain.com, it comes up with the ERR_TLS_CERT_ALTNAME_INVALID
since that hostname is not part of the altnames in the SSL cert.
What does err_tls_cert_altname_invalid
mean?
When you have a client that connects using your server node app using SSL the server will present with a certificate.
The certificate has a “subject” and the subject has a “CN” (short for “common name”.)
The certificate may also have one or more “subjectAltNames”.
When node.js connects to a server, node.js fetches this certificate, and then verifies that the domain name it thinks it’s connecting to (eg api.domain.com) matches either the subject’s CN or one of the altnames.
Now when get the error: err_tls_cert_altname_invalid
, this means that this validation has failed!
Steps to fix this error
- Check that the connection to https://registry.npmjs.org is secure
- Make sure that your system clock is in sync
- Use the
strict-ssl=false
flag - Check your proxy settings
Tip: Could be a result of DNS misconfiguration
This issue is known in the past due to DNS misconfiguraton for https://npmjs.org
Refer here: https://status.npmjs.org/incidents/v22ffls5cd6h
1. Check that the connection to https://registry.npmjs.org is secure
The first thing we can try is to check if its a SSL problem with the NPM servers and not our environment configurations.
If you navigate to https://registry.npmjs.org/http-server in a browser and it returns successfully this would mean the certificate being served is valid!
2. Make sure that your system clock is in sync
Sometimes when travelling across timezones if you do not have stable internet, you can end up having your system clock out of sync.
Now when a secure connection between the client and server is established, the SSL certificate timestamps are taken into consideration.
The validation will have two timestamps to check - the “Not Before” and “Not After” timestamps.
If somehow our system time is out of sync - it will fail these time checks and give us SSL error.
Tip:Set Automatic Time Synchronization:
- If you are on Windows, we can do the following to make sure we have the right settings to sync the clock:
- Right-click on the time and date display in the bottom-right corner of your taskbar.
- Click “Adjust date/time” from the context menu. This will open the “Date & time” settings window.
- In the “Date & time” settings window, make sure the “Set time automatically” toggle is turned on. This will enable your system to synchronize with an internet time server automatically.
3. Use the strict-ssl=false
flag
A common NPM flag that I use to get around SSL validation errors is the strict-ssl=false
.
This flag just tells NPM to disable strict SSL certificate validation when connecting with the registry.
So in the case of err_tls_cert_altname_invalid
where the error is with validation of the Subject Alternative Name (SAN) matching the requested hostname - the validation step will not happen.
Note: Be careful when using
strict-ssl=false
flagIf you are certain you know what you are doing and/or in a development environment then use this flag. If we do not validate SSL certs then you are exposed to man in the middle attacks.
Using the strict-ssl=false flag in NPM can be done in two ways:
As a command-line option:
npm install --strict-ssl=false
In the .npmrc configuration file:
If you do not want to specify this option everytime you run NPM, you can add it you your .npmrc configuration file.
The .npmrc file can be found in your home directory or your project’s root directory. If the file doesn’t exist, you can create it. Add the following line to your .npmrc file:
strict-ssl=false
4. Check your proxy settings
Another reason why this is happening is that you are behind a corporate proxy and its configured for “deep inspection”. What this means is that as NPM tries to connect to the package registry, the proxy will then “swap” the SSL cert with its own to allow it to inspect your traffic.
After the previous steps were successful, run the following commands to clear your current proxy settings (they are not working anyway).
npm config rm proxy
npm config rm https-proxy
Set new proxy settings
After we have cleared the existing proxy settings, we first need to make sure that we set the registry:
npm config set registry https://registry.npmjs.org/
Now set the new proxy settings with the following commands. Replace the proxyname
with your corporate proxy URL.
npm config set proxy http://username:password@proxyname:8080
npm config set https-proxy http://username:password@proxyname:8080
Keep in mind that when you are using username and password, they need to be encoded. For example, if your password is: Welcome@12# then it will be like Welcome%4012%23.
Additionally, with your username, you may need to also include the domain name + username aswell.
For example, lets say we work at a company with domain BIGCORP
and your username is johnnyweekend
with password Welcome@12#, then your NPM proxy config might look something like this:
npm config set proxy http://bigcorp\\jonnyweekend:Welcome%4012%23@bigcorpproxy:8080
Tip: Check your corporate proxy settings and make sure that they are not blocking NPM registry
Check with your corporate network team that the proxy is not blocking the following URL: https://registry.npmjs.org
Summary
In this post, I went over the issue of getting err_tls_cert_altname_invalid
when running NPM. Usually this is most likely on the NPM server side.
There are a few things we can check on our end - make sure that our system clock is in sync and can validate the certificate, check that we have the right proxy settings and turn off ssl certificate validation with the strict-ssl=false
NPM flag.
This flag will turn off certificate validation, but will put you at risk of man in the middle attacks!