Error: unable to verify the first certificate in nodejs

I’m trying to download a file from jira server using an URL but I’m getting an error. how to include certificate in the code to verify?

Error:

My Nodejs code:

14 Answers 14

Try adding the appropriate root certificate

This is always going to be a much safer option than just blindly accepting unauthorised end points, which should in turn only be used as a last resort.

This can be as simple as adding

to your application.

The SSL Root CAs npm package (as used here) is a very useful package regarding this problem.

Another dirty hack, which will make all your requests insecure:

unable to verify the first certificate

The certificate chain is incomplete.

It means that the webserver you are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to you.

Certificate chain

It most likely looks as follows:

1. Server certificate — stores a certificate signed by intermediate.
2. Intermediate certificate — stores a certificate signed by root.
3. Root certificate — stores a self-signed certificate.

Intermediate certificate should be installed on the server, along with the server certificate.
Root certificates are embedded into the software applications, browsers and operating systems.

The application serving the certificate has to send the complete chain, this means the server certificate itself and all the intermediates. The root certificate is supposed to be known by the client.

Recreate the problem

It doesn’t show any error (padlock in the address bar is green).
It’s because browsers tend to complete the chain if it’s not sent from the server.

Logs: «Error: unable to verify the first certificate«.

Solution

You need to complete the certificate chain yourself.

1: You need to get the missing intermediate certificate in .pem format, then

2a: extend Node’s built-in certificate store using NODE_EXTRA_CA_CERTS ,

2b: or pass your own certificate bundle (intermediates and root) using ca option.

1. How do I get intermediate certificate?

Using openssl (comes with Git for Windows).

Save the remote server’s certificate details:

We’re looking for the issuer (the intermediate certificate is the issuer / signer of the server certificate):

It should give you URI of the signing certificate. Download it:

Finally, convert it to .pem :

2a. NODE_EXTRA_CERTS

I’m using cross-env to set environment variables in package.json file:

2b. ca option

This option is going to overwrite the Node’s built-in root CAs.

That’s why we need to create our own root CA. Use ssl-root-cas.

Then, create a custom https agent configured with our certificate bundle (root and intermediate). Pass this agent to axios when making request.

Instead of creating a custom https agent and passing it to axios , you can place the certifcates on the https global agent:

Resources:

for unable to verify the first certificate in nodejs reject unauthorized is needed

The server you’re trying to download from may be badly configured. Even if it works in your browser, it may not be including all the public certificates in the chain needed for a cache-empty client to verify.

I recommend checking the site in SSLlabs tool: https://www.ssllabs.com/ssltest/

Look for this error:

This server’s certificate chain is incomplete.

You may be able to do this by modifying the request options as below. If you are using a self-signed certificate or a missing intermediary, setting strictSSL to false will not force request package to validate the certificate.

This Worked For me => adding agent and ‘rejectUnauthorized’ set to false

Another approach to solve this is to use the following module.

This module can work without any code modification by generating a PEM file that includes all root and intermediate certificates trusted by Mozilla. You can use the following environment variable (Works with Nodejs v7.3+),

To generate the PEM file to use with the above environment variable. You can install the module using:

and then launch your node script with an environment variable.

Other ways to use the generated PEM file are available at:

NOTE: I am the author of the above module.

GoDaddy SSL CCertificate

I’ve experienced this while trying to connect to our backend API server with GoDaddy certificate and here is the code that I used to solve the problem.

PS:

Use the bundled certificate and don’t forget to install the library npm install ssl-root-cas

You can disable certificate checking globally — no matter which package you are using for making requests — like this:

Of course you shouldn’t do this — but it’s certainly handy for debugging and/or very basic scripting where you absolutely don’t care about certificates being validated correctly.

I faced this issue few days back and this is the approach I followed and it works for me.

For me this was happening when i was trying to fetch data using axios or fetch libraries as i am under a corporate firewall, so we had certain particular certificates which node js certificate store was not able to point to.

So for my loclahost i followed this approach. I created a folder in my project and kept the entire chain of certificates in the folder and in my scripts for dev-server(package.json) i added this alongwith server script so that node js can reference the path.

For my servers(different environments),I created a new environment variable as below and added it.I was using Openshift,but i suppose the concept will be same for others as well.

I didn’t generate any certificate in my case as the entire chain of certificates was already available for me.

Yarn: unable to verify the first certificate

I’m trying to migrate from npm to Yarn. When I tried to install dependencies through yarn, I’m getting this error.

Same works fine with npm. Tried setting proxy, didn’t help.Is there any configuration I need to change?

3 Answers 3

If the certificate is unable to be verfied, you can open set strict-ssl to false. You should be able to configure this by runnning

yarn config set «strict-ssl» false -g

But the command is currently not working, see issue 980.

As an alternative you can navigate to C:\Users\\ and open .yarnrc and manually update it as follows:

This means that more than likely you’re behind a corporate proxy that uses a self signed certificate. I’m using version v0.16.1 , and you can fix this by providing the public certificate to the yarn configuration like so:

I had this error when trying to install the React Devtools Extensions behind a corporate proxy with correct certificates setup locally. The yarn.lock file contains many references to https://registry.yarnkpg.com which was bypassing our corporate Nexus.

I was able to install by running:

Not the answer you’re looking for? Browse other questions tagged yarnpkg or ask your own question.

Linked

Related

Subscribe to RSS

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2021.4.16.39093

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Can’t upgrade to v3.0.2: «Error: unable to verify the first certificate» #2097

Comments

4z5lz commented Jul 4, 2018 •

Current behavior:

Can’t upgrade to v3.0.2

Desired behavior:

Want to upgrade to v3.0.2 🙂

Steps to reproduce:

npm install —save-dev cypress@3.0.2

Versions

Windows 7 64b
node: v6.9.0
npm: v3.10.8
current Cypress: v3.0.1

The text was updated successfully, but these errors were encountered:

brian-mann commented Jul 4, 2018

Are you behind any kind of proxy or firewall?

This is an SSL Cert error from node, but our certs are just fine and we’ve had a great many downloads today already 😉

Maybe just try again? Or change your node version perhaps? Do you know of any kind of system settings that may muck with your network configuration? Have you had any issues downloading Cypress before?

4z5lz commented Jul 5, 2018

Yes, I’m behind the corporate firewall, but I not had any issue with installation of Cypress 3.0.1 before.

cLupus commented Jul 6, 2018 •

I have the same error.
While I’ve tried setting NODE_EXTRA_CA_CERTS to the bundled corporate certificate bundle (which includes Mozilla’s), setting an alias for node to node —use-openssl-ca , and setting npm config set cafile $PATH_TO_CORPERATE_CA_BUNDLE
Neither of which worked out.

brian-mann commented Jul 6, 2018

You likely just need to set HTTP_PROXY=whatever npm install or set it up in your .npmrc file.

Read this comment here for workarounds when installing Cypress: #1469

I looked at our documentation and expected this to be there but was surprised not to find it. You likely just need to set HTTP_PROXY or HTTPS_PROXY environment variables when doing the npm install .

cLupus commented Jul 16, 2018 •

PS: For my part, HTTP(S)?_PROXY is set (exported).
I’ve managed to work around the issue on my work computer, however, such a workaround is not really an option in our CI/CD pipeline.
The said environment variable have also been set (globally) in our CI/CD pipeline, but we still get the certificate error.

edit: I’ve also tried with HTTP_PROXY=

nam install , but that didn’t work either.

jennifer-shehane commented Jun 3, 2019

We made a lot of improvements to proxy support recently. Can you try updating to 3.3.1 and update this issue if it is fixed/not fixed please? Thanks.

mafalarz commented Jun 11, 2019

Unfortunately still not working.

mafalarz commented Jun 11, 2019 •

I was able to resolve the situation by following the instructions on Proxy Configuration

Specifically I had to: set HTTP_PROXY=http://my-company-proxy.com in my Windows Command Prompt before I did my npm install

jennifer-shehane commented Jul 11, 2019

Closing as resolved. Please comment if you are still having this issue and we will consider reopening.

visjag commented Jan 30, 2020

Hi,
I am getting following issue, while installing cypress 3.8.3

cypress@3.8.3 postinstall C:\dev\cy_npm\node_modules\cypress
node index.js —exec install

Installing Cypress (version: 3.8.3)

× Downloading Cypress
→ Cypress Version: 3.8.3
Unzipping Cypress
Finishing Installation
The Cypress App could not be downloaded.

Does your workplace require a proxy to be used to access the Internet? If so, you must configure the HTTP_PROXY environment variable before downloading Cypress. Read more: https://on.cypress.io/proxy-configuration

Otherwise, please check network connectivity and try again:

Platform: win32 (10.0.17763)
Cypress Version: 3.8.3
npm WARN rollback Rolling back chalk@1.1.3 failed (this is probably harmless): EPERM: operation not permitted, lstat ‘C:\dev\cy_npm\node_modules\listr-verbose-renderer\node_modules’
npm WARN enoent ENOENT: no such file or directory, open ‘C:\dev\cy_npm\package.json’
npm WARN cy_npm No description
npm WARN cy_npm No repository field.
npm WARN cy_npm No README data
npm WARN cy_npm No license field.

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! cypress@3.8.3 postinstall: node index.js —exec install
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the cypress@3.8.3 postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! 2020-01-30T15_49_54_548Z-debug.log

I have already set my environment variale
ie HTTP_PROXY, HTTPS_PROXY and NO_PROXY

As well as I tried with http= run cypress. but it didn’t work

Error: unable to verify the first certificate in nodejs

I’m trying to download a file from jira server using an URL but I’m getting an error. how to include certificate in the code to verify?

Error:

My Nodejs code:

14 Answers 14

Try adding the appropriate root certificate

This is always going to be a much safer option than just blindly accepting unauthorised end points, which should in turn only be used as a last resort.

This can be as simple as adding

to your application.

The SSL Root CAs npm package (as used here) is a very useful package regarding this problem.

Another dirty hack, which will make all your requests insecure:

unable to verify the first certificate

The certificate chain is incomplete.

It means that the webserver you are connecting to is misconfigured and did not include the intermediate certificate in the certificate chain it sent to you.

Certificate chain

It most likely looks as follows:

1. Server certificate — stores a certificate signed by intermediate.
2. Intermediate certificate — stores a certificate signed by root.
3. Root certificate — stores a self-signed certificate.

Intermediate certificate should be installed on the server, along with the server certificate.
Root certificates are embedded into the software applications, browsers and operating systems.

The application serving the certificate has to send the complete chain, this means the server certificate itself and all the intermediates. The root certificate is supposed to be known by the client.

Recreate the problem

It doesn’t show any error (padlock in the address bar is green).
It’s because browsers tend to complete the chain if it’s not sent from the server.

Logs: «Error: unable to verify the first certificate«.

Solution

You need to complete the certificate chain yourself.

1: You need to get the missing intermediate certificate in .pem format, then

2a: extend Node’s built-in certificate store using NODE_EXTRA_CA_CERTS ,

2b: or pass your own certificate bundle (intermediates and root) using ca option.

1. How do I get intermediate certificate?

Using openssl (comes with Git for Windows).

Save the remote server’s certificate details:

We’re looking for the issuer (the intermediate certificate is the issuer / signer of the server certificate):

It should give you URI of the signing certificate. Download it:

Finally, convert it to .pem :

2a. NODE_EXTRA_CERTS

I’m using cross-env to set environment variables in package.json file:

2b. ca option

This option is going to overwrite the Node’s built-in root CAs.

That’s why we need to create our own root CA. Use ssl-root-cas.

Then, create a custom https agent configured with our certificate bundle (root and intermediate). Pass this agent to axios when making request.

Instead of creating a custom https agent and passing it to axios , you can place the certifcates on the https global agent:

Resources:

for unable to verify the first certificate in nodejs reject unauthorized is needed

The server you’re trying to download from may be badly configured. Even if it works in your browser, it may not be including all the public certificates in the chain needed for a cache-empty client to verify.

I recommend checking the site in SSLlabs tool: https://www.ssllabs.com/ssltest/

Look for this error:

This server’s certificate chain is incomplete.

You may be able to do this by modifying the request options as below. If you are using a self-signed certificate or a missing intermediary, setting strictSSL to false will not force request package to validate the certificate.

This Worked For me => adding agent and ‘rejectUnauthorized’ set to false

Another approach to solve this is to use the following module.

This module can work without any code modification by generating a PEM file that includes all root and intermediate certificates trusted by Mozilla. You can use the following environment variable (Works with Nodejs v7.3+),

To generate the PEM file to use with the above environment variable. You can install the module using:

and then launch your node script with an environment variable.

Other ways to use the generated PEM file are available at:

NOTE: I am the author of the above module.

GoDaddy SSL CCertificate

I’ve experienced this while trying to connect to our backend API server with GoDaddy certificate and here is the code that I used to solve the problem.

PS:

Use the bundled certificate and don’t forget to install the library npm install ssl-root-cas

You can disable certificate checking globally — no matter which package you are using for making requests — like this:

Of course you shouldn’t do this — but it’s certainly handy for debugging and/or very basic scripting where you absolutely don’t care about certificates being validated correctly.

I faced this issue few days back and this is the approach I followed and it works for me.

For me this was happening when i was trying to fetch data using axios or fetch libraries as i am under a corporate firewall, so we had certain particular certificates which node js certificate store was not able to point to.

So for my loclahost i followed this approach. I created a folder in my project and kept the entire chain of certificates in the folder and in my scripts for dev-server(package.json) i added this alongwith server script so that node js can reference the path.

For my servers(different environments),I created a new environment variable as below and added it.I was using Openshift,but i suppose the concept will be same for others as well.

I didn’t generate any certificate in my case as the entire chain of certificates was already available for me.