Fixing unable_to_get_issuer_cert_locally Error in Node JS

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Easy-to-follow solutions for resolving the nodejs unable_to_get_issuer_cert_locally error

Have you ever encountered the unable_to_get_issuer_cert_locally error in Node.js? If yes, then you must know that it’s not a simple error that we can overlook, as if we do that, it will give rise to several other issues that you won’t be able to manage.

Because of this, it becomes essential to fix the unable_to_get_issuer_cert_locally node js error at the earliest, and if you need to be more knowledgeable about resolving it, don’t fret. In this article, we will clarify what’s causing this error and provide easy-to-follow steps to fix it.

Why does the Nodejs unable_to_get_issuer_cert_locally error occur?

The Nodejs unable_to_get_issuer_cert_locally error generally emerges when an SSL certificate cannot be verified or confirmed due to the absence or lack of the issuer’s certificate in the local trust store.

Whenever Node.js commences a request to an HTTPS-enabled server, it enters a complex predicament. On the one hand, affirming the server’s SSL certificate is crucial to ensure it is valid and dependable. But, to achieve that, it must traverse a maze of intricate challenges that include verifying the certificate’s chain of trust. This verification process, in turn, demands validation that the certificate’s issuer – the Certificate Authority (CA) – is also authentic and trustworthy.

But if the issuer’s certificate is absent from the trust store, Node.js will fail to affirm the certificate chain. This will give rise to the “unable_to_get_issuer_cert_locally” error.

In short, this error occurs because – Node.js cannot confirm the trustworthiness of the certificate chain without first validating the issuer’s certificate, which it cannot do without the issuer’s certificate being present in the local system’s trust store.

How to fix the unable_to_get_issuer_cert_locally error?

To fix this error, you can try one or more of the following methods:

Temporarily stop rigid SSL verification

This method is a momentary resolution that you can opt for when you are incapable of acquiring the registry’s SSL cert or if you are encountering problems despite inserting or adding the cert to the trusted list. To accomplish this, use the command given below:

npm config set strict-ssl false

As stated above, it’s a temporary solution; you should again initiate the rigid SSL verification as soon as the SSL certificate issue is dealt with; otherwise, you can be a victim of a Monkey-in-the-middle attack.

Note: Instead of the term “false,” use “true” in the above command to start rigid verification.

Change the default public registry version to HTTP

The default public NPM registry version is set to HTTPS. To change it to HTTP, follow the given below steps:

  1. Launch a Command Prompt or Terminal Window
  2. Enter the command given below:
npm config set registry http://registry.npmjs.org/

Note: The NPM registry is the primary spot where NPM searches for packages whenever the “npm install” cmd is executed.

Expand Node.js’ trust store by adding additional Root certificates to the list of trusted cert.

If you intend to add or insert a root certificate that is not part of your system’s default catalog of trusted certificates, you can use the command given below:

Now, if you are using a MacOS or Linux system, use the command given below:

export NODE_EXTRA_CA_CERTS=path/to/my-certs.pem

If you are using a Windows system, use the command given below:

set NODE_EXTRA_CA_CERTS=C:\\path\\to\\certificate.pem

Modify the settings of the CAfile

To modify the CA file, execute the “set cafile” cmd as given below:

npm config set cafile /path/to/root/certificate.pem

The settings of the CAfile will take precedence over the standard CA lookups that NPM utilizes. Attempting to access any public node packet manager registries that your Certificate Authority does not authenticate through HTTPS will result in errors.

Disable certificate verification altogether

This method instructs Node.js to skip the SSL certificate verification process. Disabling certificate validation may enable a cyber actor to intercept and exploit the data shared between the client and server, which may lead to various security violations. Some circumstances, such as during the testing phase of a non-production environment, can regard this method as a momentary answer where data interception and exploitation threats are nominal, and data security is less critical.

To disable certificate verification altogether, use the command given below:

export NODE_TLS_REJECT_UNAUTHORIZED=0

Note: We discourage using this method, as it causes “n” number of security risks and compromises the data. To restart the certification verification, replace “0” with “1” in the above command.

How to deal with the unable_to_get_issuer_cert_locally error in Node.js behind proxies?

The “unable_to_get_issuer_cert_locally” error can also occur if you are in the environment of firewall protection that utilizes a proxy to examine the traffic or data packets by exchanging the SSL certificate with its own cert. In such cases, the corporate network administrator must provide you the .pem extension file, or you can download it by browsing any website that exchanges the certificate. Once you have the certificate file, you can add or insert the cert in the catalog of trusted certificates.

Conclusion

The “unable_to_get_issuer_cert_locally” error in Node.js occurs when the SSL certificate cannot be verified or confirmed due to the absence or lack of the issuer’s certificate in the local trust store. The article provides various methods to fix the error, including temporarily stopping rigid SSL verification, changing the default public registry version to HTTP, expanding Node.js’ trust store, modifying the settings of the CAfile, and disabling certificate verification altogether.

However, disabling certificate validation altogether is not recommended, as it can cause security risks and compromise data. Additionally, if the error occurs behind proxies, the user must reach the corporate network administrator to get the certificate file or try to download it by connecting to any site where the certificate is exchanged.

Read more about how to fix the “pr_connect_reset_error” in Firefox?

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.