npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

More help with SELF_SIGNED_CERT_IN_CHAIN and npm

Firstly, our sincere apologies for those of you bitten by this problem. Here are various ways to fix the problem, and at the bottom, some more detail about why this happened.

1) upgrade your version of npm

npm install npm -g --ca=null

2) tell your current version of npm to use known registrars

npm config set ca=""

3) if all else fails, upgrade node.js

The current stable version of node includes an npm client that is not affected by this issue.

4) if you are using Heroku with a custom buildpack (or another system that uses buildpacks, like Dokku) you can modify the buildpack to set the CA. Details are in this pull request or you can use this fork which has the fix included. Update: Heroku has fixed their default node buildpack; just fetch from upstream and you’ll get the fix.

5) if you are using Amazon Elastic Beanstalk, there is a reported workaround

6) if you are using Windows Azure, logging into your instance and applying fixes 1 or 2 will work (a Stack Overflow answer about this problem suggests switch to HTTP entirely, which will work but is not a good idea security-wise)

7) if you are using Amazon OpsWorks, this advice should work

8) if you are using CircleCI, this should work

9) if you are using Travis CI, this should work

So what happened?

Old versions of the npm client used a certificate authority (CA) file that was bundled into the client itself. This was previously necessary because the client used a self-signed SSL certificate (not a great idea, but history can’t be changed).

The bundled CA does not work with our latest SSL certificate, pushed out over the last few days. We knew this, but didn’t realize the number of people who now use npm in environments where updating npm is difficult or slow. We are rolling back to the older cert now, but since the registry is distributed by a global CDN this process is slower than we’d like, and we don’t want to break things (further) by rushing the process.

ca = "" seems dangerous!

It’s not. All the fix does is tell npm to stop using the bundled CA and use the CA built-in to your copy of Node. It is actually more secure than what we were doing previously, which is part of why we did it.

Oh man, this was super-painful

We hear you, and once again our apologies. We can and will do better. In the meantime, thanks for your patience and understanding, especially the amazing members of the Node.js community who contributed workarounds in the comments of our original post