How to fix - npm ERR! Error: SSL Error: CERT_UNTRUSTED
Guide to get rid of npm ERR! Error: SSL Error: CERT_UNTRUSTED
Mar 17, 2023 | Read time 9 minutes๐ Table of contents
Introduction
Recently when I was working on a new Express Node JS application, I encountered the error:
npm ERR! Error: SSL Error: CERT_UNTRUSTED
This happened after I did a install using the command: npm install -g express. The more detailed error log looks like the following:
npm install -g express
npm http GET https://registry.npmjs.org/express
npm ERR! Error: SSL Error: CERT_UNTRUSTED
npm ERR! at ClientRequest.<anonymous> (C:\Program Files\nodejs\node_modules\npm\node_modules\request\main.js:409:26)
npm ERR! at ClientRequest.g (events.js:185:14)
npm ERR! at ClientRequest.EventEmitter.emit (events.js:88:17)
npm ERR! at HTTPParser.parserOnIncomingClient [as onIncoming] (http.js:1445:7)
npm ERR! at HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:111:23)
npm ERR! at CleartextStream.socketOnData [as ondata] (http.js:1356:20)
npm ERR! at CleartextStream.CryptoStream._push (tls.js:396:27)
npm ERR! at SecurePair.cycle (tls.js:751:20)
npm ERR! at EncryptedStream.CryptoStream.write (tls.js:131:13)
npm ERR! at Socket.ondata (stream.js:38:26)
npm ERR! [Error: SSL Error: CERT_UNTRUSTED]
npm ERR! You may report this log at:
npm ERR! <http://github.com/isaacs/npm/issues>
npm ERR! or email it to:
npm ERR! <npm-@googlegroups.com>
npm ERR! System Windows_NT 6.1.7601
npm ERR! command "C:\\Program Files\\nodejs\\\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "-g" "express"
npm ERR! cwd E:\myproject\nodejs_programs\node
npm ERR! node -v v0.8.0
npm ERR! npm -v 1.1.32
npm ERR! message SSL Error: CERT_UNTRUSTED
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! E:\myproject\nodejs_programs\node\npm-debug.log
npm ERR! not ok code 0What does this error mean?
Whenever you are using NPM and you get the SSL Error: CERT_UNTRUSTED this just means that the client machine (your computer) does not trust the SSL certificate coming back from the server. In this case, the certificate would be coming from https://registry.npmjs.org.
There are a few ways we can fix this. This would include:
- Updating to the latest version of NPM
- Reset the NPM configuration for the certificate authority (CA)
- Set the strict-ssl flag to false
npm config set strict-ssl false - Check your system clock
- If you are behind a corporate proxy - update your proxy settings
1. Updating to the latest version of NPM
Firstly, check your NPM and node versions:
npm --version
node --versionIf we can see that the NPM and Node versions are out of date, we can proceed to the following steps:
- Uninstall
nvmand reinstall. You can also use chocolatey to do the install instead of relying on the .exe!
For windows, we can go to the binary and install NVM located here:
https://github.com/coreybutler/nvm-windows/tags
For linux distros we can do the following:
sudo apt install curl
curl https://raw.githubusercontent.com/creationix/nvm/master/install.sh | bash
source ~/.profile
nvm install node - Uninstall all versions of node with the following command:
nvm uninstall <node version>
- Reinstall needed node version:
nvm install <node version>
- Use node version just installed:
nvm use <node version>
2. Reset the NPM configuration for the certificate authority (CA)
One of the reason for this to occur is that with old versions of Node and NPM, they used a self signed certificate!
In this case, the certificates that have been installed have expired or been replaced.
The npm client used a certificate authority (CA) file that was bundled into the client itself. This was previously necessary because the client used a self-signed SSL certificate.
However, NPM clients after Feb 2014 should not use self-signed SSL certificates anymore, so should not have this problem (https://blog.npmjs.org/post/78085451721/npms-self-signed-certificate-is-no-more).
If you are indeed using a old version of node/NPM then to fix this issue, we need to update our NPM client.
Run the following to update your NPM client and set the CA to null:
npm install npm -g --ca=null
Make sure the CA is empty by using the following:
npm config set ca=""
When we set the ca="" this just means to let NPM not use the bundled SSL that was not working and take the cert from https://registry.npmjs.org
3. Set the strict-ssl flag to false npm config set strict-ssl false
Note: This option is not recommended - it is sort of a last ditch effort to get your code running and you know that you will not face man-in-the middle attacks.
So to tell NPM that we do not want to verify SSL certs, We can use the strict-ssl and set it to false to tell NPM to not validate certificates.
Open up the terminal and enter in the following command:
npm config set strict-ssl false
This would mean that your TLS or HTTPS connections are not secure over NPM and risk of getting man in the middle attacks.
4. Check your system clock
When we get a SSL certificate from the server (https://registry.npmjs.org) it has a start and end date.
Now if your machine does not set the time correctly, it can cause problems with SSL verification.
This is because the time would be out of whack and it may think that the SSL certificate was expired or not valid even though it should be!
I noticed this happening to me a few times when I have my laptop turned on for a long time or I have been traveling across timezones and the system clock have not adjusted!
A quick reboot of the laptop would sync the times and fix this issue!
5. If you are behind a corporate proxy - update your proxy settings
When you are working in a corporate environment, it is most likely that you are developing behind a corporate proxy.
Some proxy settings can not work well with NPM since they usually want to strip HTTPS and inject their own dummy certificate.
The reasoning for this is to inspect the data - checking that you are not going to dodgy sites and โcheck for virusesโ or whatever random reason :)
Now if the above steps did not fix your problem and you are pretty confident that the error lies in the proxy, then check the following steps.
Clear current proxy settings
Firstly we need to run the following commands to clear your current proxy settings:
npm config rm proxy
npm config rm https-proxy
Set new proxy settings
After we have cleared the existing proxy settings, we will then need to make sure that we set the registry:
npm config set registry https://registry.npmjs.org/
Now set the new proxy settings with the following commands. Replace the proxyname with your corporate proxy URL.
npm config set proxy http://proxyname:8080
npm config set https-proxy http://proxyname:8080
If your proxy requires credentials then you can replace the above commands with the username/password parts:
npm config set proxy http://username:password@proxyname:8080
npm config set https-proxy http://username:password@proxyname:8080
Keep in mind that when you are using username and password, they need to be encoded - just like when you are encoding urls.
For example, if your password is: Welcome@12# then it will be like Welcome%4012%23.
Additionally, with your username, you may need to also include the domain name + username aswell.
For example, lets say we work at a company with domain BIGCORP and your username is johnnyweekend with password Welcome@12#, then your NPM proxy config might look something like this:
npm config set proxy http://bigcorp\\jonnyweekend:Welcome%4012%23@bigcorpproxy:8080
Tip: Check your corporate proxy settings and make sure that they are not blocking NPM registry
Check with your corporate network team that the proxy is not blocking the following URL: https://registry.npmjs.org
Summary
In this post, we went over the error of SSL Error: CERT_UNTRUSTED. This error just means that the certificate that was sent from the server is not trusted by your machine.
To fix this we can upgrade our NPM version, make sure to reset the CA config for NPM, use strict-ssl NPM flag to set to false and check our system clock to see if it is in sync. This can happen when you leave your machine on for too long or have been traveling and the system clock have not have enough time to sync the clock.
If you find yourself behind a corporate proxy, then make sure to set the proxy settings correctly!
