Node-red Install Error- Self_Signed_cert_in_chain

General
1

Hi,
feeling a little ackward to post this. i have been working with node-red since at least 2 years and have installed many instances on few PC but never faced this issue, so i am stuck. searched forum and net for this issue but nowhere i could find exact issue. there are some issues similar reported for few nodes but not for node-red itself.

I am getting following error on a freshly formatted windows pc.
OS -Windows 11 Pro

C:\Users\oee.ldh\NR-ADMIN>node --version && npm --version
v20.18.1
10.8.2

PS C:\Users\oee.ldh> npm install -g --unsafe-perm node-red
npm error code SELF_SIGNED_CERT_IN_CHAIN
npm error errno SELF_SIGNED_CERT_IN_CHAIN
npm error request to https://registry.npmjs.org/node-red failed, reason: self-signed certificate in certificate chain
npm error A complete log of this run can be found in: C:\Users\oee.ldh\AppData\Local\npm-cache\_logs\2024-12-05T07_27_36_708Z-debug-0.log

the error log.

0 verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
1 info using npm@10.8.2
2 info using node@v20.18.1
3 silly config load:file:C:\Program Files\nodejs\node_modules\npm\npmrc
4 silly config load:file:C:\Users\oee.ldh\NR-ADMIN\.npmrc
5 silly config load:file:C:\Users\oee.ldh\.npmrc
6 silly config load:file:C:\Users\oee.ldh\AppData\Roaming\npm\etc\npmrc
7 verbose title npm install node-red
8 verbose argv "install" "node-red"
9 verbose logfile logs-max:10 dir:C:\Users\oee.ldh\AppData\Local\npm-cache\_logs\2024-12-05T07_38_02_267Z-
10 verbose logfile C:\Users\oee.ldh\AppData\Local\npm-cache\_logs\2024-12-05T07_38_02_267Z-debug-0.log
11 silly packumentCache heap:2197815296 maxSize:549453824 maxEntrySize:274726912
12 silly logfile start cleaning logs, removing 1 files
13 silly logfile done cleaning log files
14 silly idealTree buildDeps
15 silly fetch manifest node-red@*
16 silly packumentCache full:http://registry.npmjs.org/node-red cache-miss
17 http fetch GET https://registry.npmjs.org/node-red attempt 1 failed with SELF_SIGNED_CERT_IN_CHAIN
18 http fetch GET https://registry.npmjs.org/node-red attempt 2 failed with SELF_SIGNED_CERT_IN_CHAIN
19 http fetch GET https://registry.npmjs.org/node-red attempt 3 failed with SELF_SIGNED_CERT_IN_CHAIN
20 silly placeDep ROOT node-red@ OK for:  want: *
21 verbose type system
22 verbose stack FetchError: request to https://registry.npmjs.org/node-red failed, reason: self-signed certificate in certificate chain
22 verbose stack     at ClientRequest.<anonymous> (C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\index.js:130:14)
22 verbose stack     at ClientRequest.emit (node:events:518:28)
22 verbose stack     at emitErrorEvent (node:_http_client:101:11)
22 verbose stack     at _destroy (node:_http_client:884:9)
22 verbose stack     at onSocketNT (node:_http_client:904:5)
22 verbose stack     at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
23 error code SELF_SIGNED_CERT_IN_CHAIN
24 error errno SELF_SIGNED_CERT_IN_CHAIN
25 error request to https://registry.npmjs.org/node-red failed, reason: self-signed certificate in certificate chain
26 silly unfinished npm timer reify 1733384282827
27 silly unfinished npm timer reify:loadTrees 1733384282832
28 verbose cwd C:\Users\oee.ldh\NR-ADMIN
29 verbose os Windows_NT 10.0.22631
30 verbose node v20.18.1
31 verbose npm  v10.8.2
32 verbose exit 1
33 verbose code 1
34 error A complete log of this run can be found in: C:\Users\oee.ldh\AppData\Local\npm-cache\_logs\2024-12-05T07_38_02_267Z-debug-0.log
2

Interesting :smiley:

i can conncect to registry.npmjs.org . openssl show no error.

Maybe you Windows PC musst update the certificate store / get the root certs?

~$ openssl s_client  -connect registry.npmjs.org:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = npmjs.org
verify return:1
---
Certificate chain
 0 s:CN = npmjs.org
   i:C = US, O = Google Trust Services, CN = WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 11 08:09:05 2024 GMT; NotAfter: Feb  9 08:09:04 2025 GMT
 1 s:C = US, O = Google Trust Services, CN = WE1
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDnTC....
-----END CERTIFICATE-----
subject=CN = npmjs.org
issuer=C = US, O = Google Trust Services, CN = WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2970 bytes and written 405 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: FA147....
    Session-ID-ctx:
    Master-Key: 4C565D....
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - b4 7c db 40 6a 9a 6f fb-bc 20 9e a7 15 b1 33 ce   .|.@j.o.. ....3.
    .....

    Start Time: 1733385908
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
3

can you suggest how do i do this ?

4

I don't know how to to that on Windows :see_no_evil:

With Linux, it is easy :wink:

1 Like
5

one of the 'suggestion' found on internet said to set

npm config set strict-ssl false

i smelled something wrong and have not ventured into,.

is it safe ?

6

In edge - do you get any warnings when visiting https://registry.npmjs.org ?

1 Like
7

Happens automatically on Windows. Check for any outstanding Windows Updates.

ABSOLUTELY NOT! DO NOT DO THAT.

1 Like
8

Can you do:

> npm config get cafile
null

I get null, do you get something different?

Also suggested was running wget https://registry.npmjs.org/express though you need to install a compatible wget app for that.

9

I get null as well


C:\Users\oee.ldh>npm config get cafile
null

C:\Users\oee.ldh>
10

I think (not totally sure) that you only need something in there if you need npm to go via a secured non-transparent proxy (typical in some enterprise environments).

11

As a temporary solution, you can just override the protocol.

npm config set registry http://registry.npmjs.org/

and to put it back

npm config set registry https://registry.npmjs.org/

As a quick workaround, its nothing to be concerned about (Ok, Julian :wink: )

http[s]

12

As long as you don't leave it.

My worry with work arounds like that is someone managing to insert a rogue proxy. Without proper https, you are then very vulnerable. The risk is relatively low though for a short while.

But it doesn't fix the issue of course which really does need fixing.

1 Like