Can't seem to use with ssl: UNABLE_TO_VERIFY_LEAF_SIGNATURE

[Barry Kaplan]

I have nexus installed behind nginx with ssl configured with a signed cert. But when I try to publish with npm I get

  npm info retry will retry, error on last attempt: Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

Only by adding to .npmrc

  strict-ssl=false

can I then publish. 

I don't see anything in the book related to this. Is there some configuration I may be missing?

[Peter Lynch]

Without seeing the entire npm-debug.log I can't really say accurately what is happening other than this sounds more like a certificate problem than anything to do with Nexus.

First I would make sure you are using the latest node and npm versions.

If that doesn't help, npm has two options to specify the remote signing authority certificate so that strict-ssl=false is not necessary.

https://docs.npmjs.com/misc/config#ca

https://docs.npmjs.com/misc/config#cafile

Perhaps you can try those options?

We have generic commands documented which can help you extract the CA certificate in PEM format.

https://support.sonatype.com/entries/95353268

-Peter

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/bab85cc9-3872-4a16-b97d-795abc806152%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

[David Grierson]

+1 to the sounds of a certificate problem – how was the certificate generated? Who was the signing authority?

 

Are you sure that you've got a full certificate chain which is trusted by your NPM client?

 

You might want to try connecting to your Nexus service using openssl s_client and check for any errors.

[Barry Kaplan]

The certificate is generated by goddady. It's used for other websites on the same domain as well as AWS ELBs. Browsers show the padlock and proper authority creds, even when accessing the nexus UI via the nginx. It's just npm that is not happy. 

[Rich Seddon]

Sounds like npm may not have the godaddy root certificate installed.  It seems that npm hard codes a set of root certificates:

https://github.com/nodejs/node-v0.x-archive/blob/master/src/node_root_certs.h

If this is the file that is being used by current npm then it seems like this hasn't been updated for a while now, the last update was nearly two years ago.  But I'm not an npm developer, so I could definitely be wrong here.

Anyhow, you can override the root certificates in npm using a command like this:

npm config set cafile /path/to/cert.pem

Just be aware that when you do that it replaces the default root certificates, so you may have trouble getting npm to connect to other sites.

Rich

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAF-b7%2BSh89v%2Bvbvf19NxdD9%2B8kLMauzRNwWQ5CxWEHGZObZeuA%40mail.gmail.com.