NPM giving SSL error: SELF_SIGNED_CERT_IN_CHAIN
If you dabble a bit with node.js in your spare time you may have noticed that as of Feb 27th 2014, NPM no longer works.
If you look at the output from npm, you will probably see the following error:
npm ERR! fetch failed https://registry.npmjs.org/connect/-/connect-2.13.0.tgz
<strong>npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN</strong>
npm ERR! at ClientRequest.<anonymous> (C:\Program Files (x86)\nodejs\node_modules\npm\node_modules\request\main.js:525:26
npm ERR! at ClientRequest.g (events.js:192:14)
npm ERR! at ClientRequest.EventEmitter.emit (events.js:96:17)
npm ERR! at HTTPParser.parserOnIncomingClient [as onIncoming] (http.js:1462:7)
npm ERR! at HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:111:23)
npm ERR! at CleartextStream.socketOnData [as ondata] (http.js:1367:20)
npm ERR! at CleartextStream.CryptoStream._push (tls.js:526:27)
npm ERR! at SecurePair.cycle (tls.js:880:20)
npm ERR! at EncryptedStream.CryptoStream.write (tls.js:267:13)
npm ERR! at Socket.ondata (stream.js:38:26)
npm ERR! If you need help, you may report this log at:
npm ERR! <http://github.com/isaacs/npm/issues>
npm ERR! or email it to:
npm ERR! firstname.lastname@example.org
The key is in the second line here, an SSL exception is being thrown due to the use of self-signed certificates:
npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
After a bit of digging about I found a post on the official npm blog confirming that as of 27/Feb/14 self-signed certificates are no longer supported and that npm is effectively broken.
Quite humorously, this same blog post recommends installing an updated version of npm using npm itself, which would be fine, if the entire problem wasn’t an inability to use npm due to the cert errors. Whoops!
Some people are suggesting disabling SSL on npm by changing the config, but this is risky for a number of reasons, not least because that opens you up to man-in-the-middle attacks and no longer validates that you are indeed talking to the authentic npm repository.
Personally I took both of these and ran the following:
npm config set strict-ssl false
npm install npm –g
npm config set strict-ssl true
Here we are disabling SSL to allow us to grab the latest version of npm (which doesn’t suffer from the self-signed cert. problem) then immediately re-enabling SSL.
This to me is a quick solution to this problem.
The other option is to uninstall node.js, download the latest version and install that. The above option should be quickest and most hassle free I’d imagine.