Re: [nodejs] CERT_UNTRUSTED Error

[Ben Noordhuis]

On Tue, Apr 16, 2013 at 6:49 PM, Robert Eberhart
<robert....@gmail.com> wrote:
> Hello,
>
> This actually isn't a problem with NodeJS per se. The problem actually
> lies with my company, but I'm hoping that someone might have a way around
> it. The problem is that trying to install a module with npm fails with a
> CERT_UNTRUSTED error. I believe that the problem is that my company is
> essentially performing a Man-In-The-Middle attack on all SSL communication.
> My guess is that by doing this they can block/capture communications
> occurring through SSL. This makes sense in a Big Brothery kind of way. As
> a result of this manipulation of the certificate path, NodeJS pitches a fit
> and throws the error. My question is whether I can get NodeJS to trust the
> certificates that my company has inserted in the certificate path so that I
> can install the module as per usual. If not, can someone please detail or
> point me in the direction of instructions to manually install a module. I'm
> trying to install uglify. Included below, please find the error that I am
> receiving.
>
> Sincerely,
> Robert Eberhart
>
> C:\>npm install uglify
> npm http GET https://registry.npmjs.org/uglify
> npm http GET https://registry.npmjs.org/uglify
> npm http GET https://registry.npmjs.org/uglify
> npm ERR! Error: CERT_UNTRUSTED
> npm ERR! at SecurePair.<anonymous> (tls.js:1283:32)
> npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)
> npm ERR! at SecurePair.maybeInitFinished (tls.js:896:10)
> npm ERR! at CleartextStream.read [as _read] (tls.js:430:15)
> npm ERR! at CleartextStream.Readable.read (_stream_readable.js:294:10)
> npm ERR! at EncryptedStream.write [as _write] (tls.js:344:25)
> npm ERR! at doWrite (_stream_writable.js:211:10)
> npm ERR! at writeOrBuffer (_stream_writable.js:201:5)
> npm ERR! at EncryptedStream.Writable.write (_stream_writable.js:172:11)
> npm ERR! at write (_stream_readable.js:547:24)
> npm ERR! If you need help, you may report this log at:
> npm ERR! <http://github.com/isaacs/npm/issues>
> npm ERR! or email it to:
> npm ERR! <np...@googlegroups.com>
>
> npm ERR! System Windows_NT 6.1.7601
> npm ERR! command "C:\\Program Files\\nodejs\\\\node.exe" "C:\\Program
> Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "uglify"
> npm ERR! cwd C:\Windows\system32
> npm ERR! node -v v0.10.3
> npm ERR! npm -v 1.2.17
> npm ERR!
> npm ERR! Additional logging details can be found in:
> npm ERR! C:\Windows\system32\npm-debug.log
> npm ERR! not ok code 0

I don't think npm lets you specify a custom CA chain from the command
line. You'll either have to hack npm or download the tarballs
manually and have npm install those.

[Trygve Lie]

Hi

This sounds very similar to some problems we had. We have an internal
copy of npm we run against and after switching from 0.8.x to 0.10.x in
development more or less all installs failed with CERT_UNTRUSTED errors.
It was actually failing a bit random.

But, resetting the ca config by setting it to null solved our problems.

Try to run:
~/npm config set ca ""

That worked for us.

Trygve

> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to nodejs+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Woon Cherk Lam]

Thanks for the trick! It worked! :D

[Isaac Schlueter]

Wow, this thread is old.  Anyway, to correct the earlier message for posterity, yes, npm does let you set the certificate authority via configs.  It's the `ca` config.

The new registry works out of the box with no ca config, or with the default npm that ships with recent builds of Node v0.10 and v0.8.  Please upgrade if you are using an earlier version.

[Todd Morrison]

Correct answer:

 

Try to run: 

~/npm config set ca "" 

[Alex Kocharin]

 

"npm config ..." sets npm settings, but you're using node.js. Those are two entirely different applications.

 

In this case you can do:

$ node -e "require('https').request({host: 'solarems.net',rejectUnauthorized: false}, function(res){console.log(res.statusCode)}).end()"

But please be careful where you're using that option. If you connect to this host often, it's better to hardcode it's certificate into your source, this way you will be immune to MitM attacks.

 

/me eagerly waits for DANE, 'cause current SSL certificates suck...

 

 

06.02.2014, 11:15, "Pratik Sathaye" <pratik.s...@gmail.com>:

I tried 

 

   npm config set ca ""

   npm config set strict-ssl false

 

and both not worked for me..

 

I am trying to execute below command on my terminal

 

echo "require('https').request({host: 'solarems.net'}, function(res){console.log(res.statusCode)}).end()" | NPM_DEBUG=https node

And I am getting

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: CERT_UNTRUSTED
    at SecurePair.<anonymous> (tls.js:1362:32)
    at SecurePair.EventEmitter.emit (events.js:92:17)
    at SecurePair.maybeInitFinished (tls.js:974:10)
    at CleartextStream.read [as _read] (tls.js:462:15)
    at CleartextStream.Readable.read (_stream_readable.js:320:10)
    at EncryptedStream.write [as _write] (tls.js:366:25)
    at doWrite (_stream_writable.js:221:10)
    at writeOrBuffer (_stream_writable.js:211:5)
    at EncryptedStream.Writable.write (_stream_writable.js:180:11)
    at write (_stream_readable.js:583:24)

 

 

The above command works with node (v0.6.12).

 

I have node (v0.10.22) and npm (1.3.14) installed on my system

 

How can I resolve this ?

Thanks

[Pratik Sathaye]

Can you please change the host name here or delete the post for security issues.

Thanks

On Friday, February 7, 2014 1:37:55 AM UTC+5:30, Alex Kocharin wrote:

 

"npm config ..." sets npm settings, but you're using node.js. Those are two entirely different applications.

 

In this case you can do:

$ node -e "require('https').request({host: 'host.net',rejectUnauthorized: false}, function(res){console.log(res.statusCode)}).end()"

But please be careful where you're using that option. If you connect to this host often, it's better to hardcode it's certificate into your source, this way you will be immune to MitM attacks.

 

/me eagerly waits for DANE, 'cause current SSL certificates suck...

 

 

06.02.2014, 11:15, "Pratik Sathaye" <pratik.s...@gmail.com>:

I tried 

 

   npm config set ca ""

   npm config set strict-ssl false

 

and both not worked for me..

 

I am trying to execute below command on my terminal

 

echo "require('https').request({host: 'host.net'}, function(res){console.log(res.statusCode)}).end()" | NPM_DEBUG=https node

[Alex Kocharin]

 

I have no way to do either, it's a mailing list.

 

If you want it to be removed from google groups, you can ask moderators, I won't have any objections about removing/changing those.

 

However, this post (as well as your initial post) stays in the archives forever (https://google.com/search?q=inurl%3Amail-archive+CERT_UNTRUSTED, and dozen of other places), and there is nothing that can be done about it.

 

 

07.02.2014, 09:38, "Pratik Sathaye" <pratik.s...@gmail.com>:

[Maz]

Hi guys,

same issue here. Latest version I can run on ARM (raspberry pi) is Node 0.11.7 on npm 1.3.8
set ca "" or strict ssl false has no effect

ideas? please :/

[Maz]

Thank you mate, rejectUnauthorized: false did the trick. !