Git and NPM fail due to use of a proxy

Question

For some reason very recently I haven't been able to use git to push to github, or use npm to install node modules. (I'm using Windows 10)

I get this error with git:

$ git push origin master fatal: unable to access
'https://github.com/$$$/$$$.git/': SSL certificate problem:
unable to get local issuer certificate

I get this error with npm:

npm install --save-dev webpack
npm WARN package.json 613@1.0.0 No description
npm WARN package.json 613@1.0.0 No README data
npm ERR! Windows_NT 10.0.14393
npm ERR! argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "--save-dev" "webpack"
npm ERR! node v4.4.4
npm ERR! npm  v2.15.1
npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE

npm ERR! unable to verify the first certificate
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     npm-debug.log

I updated git to the latest version, same error. I try doing npm install -g npm to update npm, get same error so I can't update it.

I don't understand how SSL works. As far as I know, I don't have any SSL certificates, so I don't know what it is looking for. I also don't know why this is only a problem now, when a few weeks ago I was using git and npm no problem. I don't know what changed...All the solutions I've found on this site are either

1. Disable checking SSL, which doesn't sound safe
2. Tell git where my certificates are, and I don't know how to do that

For npm I tried everything here: Socket.io unable to verify the first certificate and it didn't help. The last step resulted in:

Loading latest certificates from 
https://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1
undefined
> { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
undefined

I tried simply require('ssl-root-cas').inject(); but it didn't help my error go away.

I don't know if it's relevant, but I am using CovenantEyes. Some websites I looked at said proxies could be an issue, is CovenantEyes a proxy?

Answer 1

I don't know Covenant Eyes, but from what I see from a quick skim over their website, I'd say yes, they are using proxy technology to intercept your web traffic and filter / rate / block it.

When using HTTPS, the communication with the server is fully encrypted between client and server, so a proxy cannot intercept, as it does not have the private information of the server. So it can at most do a wanted man-in-the-middle attack, meaning it requests the HTTPS page from the server and then encrypts it with its own certificate before presenting it to your browser (Git in this constellation is a browser, as it requests HTTP / HTTPS URLs and consumes them).

This certificate that CovenantEyes uses to encrypt the traffic of course is not an official GitHub certificate and thus Git complains that it cannot verify the certificate. Your browser will do the same and yell at you that this is unsafe until you tell it to shut up (accept the certificate).

To make this work, you have several ways, e. g. one of:

• Do not use HTTPS URLs, but GIT or SSH URLs, as with those you have no intercepting CovenantEyes disturbing
• Declare github.com as exception to the intercepting mechanism in CovenantEyes if this is possible
• Import the certificate that CovenantEyes is using to encrypt the stuff and add it to the list of trusted certificates
• Turn off certificate validation

I think I'd prefer the first way which also happens to be the easiest approach.