npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Question

I am trying all possible ways to create a React application. I have tried Maven, and now I am trying create-react-app from Facebook Incubators.

When I tried to run the command create-react-app my-app in npm environment, it worked on my personal system with no issues. But, when I tried the same command in my work environment, I encountered the following error on my command line:

npm ERR! node v6.10.2
npm ERR! npm  v3.10.10
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

npm ERR! unable to get local issuer certificate
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

Answer 1

A quick solution from the internet search was npm config set strict-ssl false, luckily it worked. But as a part of my work environment, I am restricted to set the strict-ssl flag to false.

Later I found a safe and working solution:

npm config set registry http://registry.npmjs.org/  

which worked perfectly and I got a success message Happy Hacking! by not setting the strict-ssl flag to false.

Answer 2

Specifically for macOS, if you mess with /opt/homebrew/etc/ca-certificates, it will break Node.js:

TypeError: fetch failed
    at node:internal/deps/undici/undici:13178:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  [cause]: Error: unable to get local issuer certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)
      at TLSSocket.emit (node:events:520:28)
      at TLSSocket._finishInit (node:_tls_wrap:1078:8)
      at ssl.onhandshakedone (node:_tls_wrap:864:12) {
    code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
  }
}

Reinstalling ca-certificates and node with Homebrew was not enough. What fixed it:

brew reinstall ca-certificates
brew reinstall openssl@3
brew reinstall node

I am guessing installing openssl also updates the CA store, which is why it's required. That was the missing piece that was not obvious initially.

I also ran brew remove --ignore-dependencies ca-certificates a few times.

Quick way to verify the fix worked:

node -e 'fetch("https://example.com").then(r => console.log(r.status))'

Answer 3

For me this was fixed by reinstalling openssl with the command brew reinstall openssl@3 (I'm on macOS, and brew is the package manager)

Answer 4

I have been getting the same error when using the OpenAI client for NodeJs. Turned out my computer was protected using Zscaler which caused the issue. The following fixed the problem for me:

import https from 'https';

const openai = new OpenAI({
  httpAgent: new https.Agent({
    rejectUnauthorized: false,
  }),
});

Please be aware that rejectUnauthorized should not be set to false for remote environments like prod stacks.

Answer 5

This is not necessarily a fix, but the way I resolved this was by switching node versions with nvm use <version>.

I looked at the logs for the failed npm i and noticed it was using node 19... didn't even know it went up that high!

Answer 6

Setting NODE_EXTRA_CA_CERTS in the terminal did not work for me for some reason, same like how export http_proxy=proxyurl in the terminal didn't work and instead I needed to do a npm config set proxy yourproxyurl:port and npm config set http-proxy yourproxyurl:port (you can verify existing proxy, if any, via npm get proxy).

I had to supply --cafile parameter for it to explicitly work, something like this:

sudo npm install -g cordova --cafile /System/Volumes/Data/opt/homebrew/etc/ca-certificates/cert.pem

Answer 7

I deleted the .npmrc file from C:\Users\MyUser and it worked

Answer 8

doing the following steps solved it for me.

npm config set strict-ssl=false
npm config set registry http://registry.npmjs.org/
npm config set cafile /path/to/your/cert.pem
set NODE_TLS_REJECT_UNAUTHORIZED=0

Answer 9

This is what worked for me (on a Mac 10.15.7).

My issue was I tried this command...

npm install eslint --save-dev

...and got this error message...

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/eslint failed, reason: unable to get local issuer certificate

...I googled one of the error messages and ended up on the stack overflow issue you are reading now.

I then tried one of the suggestions above, i.e.

npm config set registry http://registry.npmjs.org/

...then, I again tried...

npm install eslint --save-dev

...and got the same error message.

Then I did something unique. I connected to my company's vpn. (This is the opposite of what someone (i.e. @mask) suggested. They said they turned OFF their vpn!)

I tried...

npm install eslint --save-dev

...for the third time and it worked like a charm. Problem solved. (-:

(Aside: I wonder if my first attempt to fix this, i.e.

npm config set registry http://registry.npmjs.org/

...was necessary?)

Answer 10

Zscalar update policy help me to make network calls, after trying couple of work around mentioned.

Workarounds tried Before Zscalar update:

• npm config set strict-ssl false
• npm config set registry http://registry.npmjs.org/
• set NODE_TLS_REJECT_UNAUTHORIZED=0

Update policy(Highlighted in yellow) in Zscalar app helped me to fix "unable to get local issuer certificate" issue.

Answer 11

what may be happening is your company decrypts certain traffic and re-encrypts it with their certificate (which you probably already have in your keychain or trusted root certificates)

if you're using node 7 or later I've found this fix to be compatible with node and node-gyp (for Windows you'll need to do this differently, but you basically just need to add this environment variable):

export NODE_EXTRA_CA_CERTS="absolute_path_to_your_certificates.pem" (in Windows you may need to remove the quotes)

the pem file can have multiple certificates: https://nodejs.org/api/cli.html#node_extra_ca_certsfile

make sure your certificates are in proper pem format (you need real line breaks not literal \n)

I couldn't seem to get it to work with relative paths (. or ~)

This fix basically tells npm and node-gyp to use the check against the regular CAs, but also allow this certificate when it comes across it

Ideally you would be able to use your system's trusted certificates, but unfortunately this is not the case.

Answer 12

Some schematics use yarn under the hood and throw the same error.

yarn config set registry http://registry.npmjs.org

Answer 13

Its very easy to fix this issue.

ERROR

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY 
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/yarn failed, reason: unable to get local issuer certificate  
npm ERR! A complete log of this run can be found in:

Solution

If you are in organization or intranet then use below commend.

npm config set registry https://type_your_org_repo_fqdn

other wise

npm config set registry http://registry.npmjs.org/

Answer 14

What is your OS? On Ubuntu I was able to fix this error by running

npm config set cafile /etc/ssl/certs/ca-certificates.crt

to tell npm to use my system's certificate store. Debian uses the same system certificate path, I'm less familiar with other distributions and OSes.

(I don't like the other answers that all turn off certificate verification and allow man-in-the-middle attacks.)

Answer 15

npm config set registry http://registry.npmjs.org/

If this code trick didn't work for you then try to run your application from home directory.. It worked for me.

Answer 16

For me the issue was VPN, I disconnected the VPN and "npm i" command worked with no fail.

Answer 17

In my case, at some point I set my global config to use a cert that was meant for a project.

npm config list

/path/to/global/.npmrc
NODE_EXTRA_CA_CERTS = "./certs/chain.pem"

I opened the file, removed the line and npm install worked again.

Answer 18

After trying out every solution I could find:

• Turning off strict ssl: npm config set strict-ssl=false
• Changing the registry to http instead of https: npm config set registry http://registry.npmjs.org/
• Changing my cafile setting: npm config set cafile /path/to/your/cert.pem
• Stop rejecting unknown CAs: set NODE_TLS_REJECT_UNAUTHORIZED=0

The solution that seems to be working the best for me now is to use the NODE_EXTRA_CA_CERTS environment variable which extends the existing CAs rather than replacing them with the cafile option in your .npmrc file. You can set it by entering this in your terminal: NODE_EXTRA_CA_CERTS=path/to/your/cert.pem

Of course, setting this variable every time can be annoying, so I added it to my bash profile so that it will be set every time I open terminal. If you don’t already have a ~/.bash_profile file, create one. Then at the end of that file add export NODE_EXTRA_CA_CERTS=path/to/your/cert.pem. Then, remove the cafile setting in your .npmrc.

Answer 19

I had this error when I tried to update npm, but had a really old version (1.3.6 !) installed from yum in AWS Linux. I was able to manually install a newer npm version and everything was remedied.

Answer 20

Had the same error. Looks like it is related to SSL certificates. If you are using NPM for public packages (don't need the security of HTTPS) you can turn off strict SSL key validation with the following command.

This might be the simplest fix if you're just looking to install a few publicly available packages one time.

npm config set strict-ssl=false

Answer 21

Changing the NPM repo URL to HTTP works as a quick-fix, but I wanted to use HTTPS.

In my case, the proxy at my employer (ZScaler) was causing issues (as it acts as a MITM, causing certification verification issues)

I forgot I found a script that helps with this and Git (for cloning GitHub repos via HTTPS had the same issue) and forked it for my use

Basically, it does the following for git:

git config --global http.proxy http://gateway.zscaler.net:80/
git config --system http.proxy http://gateway.zscaler.net:80/

and for Node, it adds proxy=http://gateway.zscaler.net:80/ to the end of c:\Users\$USERNAME\npm\.npmrc

That solved the issue for me.