SELF_SIGNED_CERT_IN_CHAIN (Corporate Overlords SSL-intercepting proxy) #9282
Description
After reading all the related issues I could, e.g. #7439 (comment) #9195 #8125 #7547 #7519 I thought I'd answer about what if you are on a corporate network that interjects a self-signed SSL certificate (such as http://packetpushers.net/using-ssl-intercept-with-adcs-firewalls-to-inspect-clean-encrypted-traffic/ ) but doesn't give you a proxy to work around it.
So, I was going to write this into https://github.com/npm/npm/wiki/Troubleshooting#ssl-intercepting-proxy
but then (frustratingly) I couldn't quite get the last bit to work. I'm putting it here in the hope someone knows how to complete it.
Corporate Overlord SSL-intercepting proxy
To cut a long story short, the self-signed certificate needs to be installed into npm to avoid SELF_SIGNED_CERT_IN_CHAIN:
INSTALL openssl
PS c:\> choco install openssl.light
PS c:\> openssl.exe s_client -connect registry.npmjs.org:443
GET CERTIFICATE
PS C:\> Write-Output "\n" | openssl.exe s_client -showcerts -connect registry.npmjs.org:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.crt
(hit ctrl-z)
The following text courtesy of Alex Taylor on http://stackoverflow.com/posts/30341389/revisions
npm config set cafile = ""
I think that's everything I know about getting npm to work behind a proxy/firewall. May someone find it useful.Edit: It's a really common suggestion to turn off HTTPS for this problem either by using an HTTP registry or setting NODE_TLS_REJECT_UNAUTHORIZED. These are not good ideas because you're opening yourself up to further man-in-the-middle or redirection attacks. A quick spoof of your DNS records on the machine doing the package installation and you'll find yourself trusting packages from anywhere. It may seem like a lot of work to make HTTPS work, but it is highly recommended. When you're the one responsible for allowing untrusted code into the company, you'll understand why.
Here's the error:
PS C:\Users\martin\ssl> openssl.exe s_client -connect registry.npmjs.org:443 -cert .\cert.crt
unable to load client certificate private key file
4336:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:648:Expecting: ANY PRIVATE KEY
PS C:\Users\martin > npm install -g yo hubot-hipchat --ca=null --verbose
npm info it worked if it ends with ok
npm verb cli [ 'C:\\Program Files\\nodejs\\\\node.exe',
npm verb cli 'C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js',
npm verb cli 'install',
npm verb cli '-g',
npm verb cli 'yo',
npm verb cli 'hubot-hipchat',
npm verb cli '--ca=null',
npm verb cli '--verbose' ]
npm info using npm@2.11.3
npm info using node@v0.12.7
npm verb install initial load of C:\Users\cleavm2\AppData\Roaming\npm\package.json
npm verb readDependencies loading dependencies from C:\Users\martin\AppData\Roaming\npm\package.json
npm verb cache add spec yo
npm verb cache add spec hubot-hipchat
npm verb addNamed "*" is a valid semver range for yo
npm verb addNameRange registry:https://registry.npmjs.org/yo not in flight; fetching
npm verb addNamed "*" is a valid semver range for hubot-hipchat
npm verb addNameRange registry:https://registry.npmjs.org/hubot-hipchat not in flight; fetching
npm verb request uri https://registry.npmjs.org/hubot-hipchat
npm verb request no auth needed
npm info attempt registry request try #1 at 4:40:54 PM
npm verb request id 24ba5040d018d817
npm verb etag "ELBJWHL7H17UUZV869V5DKAT6"
npm http request GET https://registry.npmjs.org/hubot-hipchat
npm verb request uri https://registry.npmjs.org/yo
npm verb request no auth needed
npm info attempt registry request try #1 at 4:40:54 PM
npm verb etag "EZZBRRMEY8EPDCRVYEESNK1Y5"
npm http request GET https://registry.npmjs.org/yo
npm info retry will retry, error on last attempt: Error: certificate not trusted
npm info retry will retry, error on last attempt: Error: certificate not trusted