Error: unable to get local issuer certificate

[amcdnl]

Issue

When installing cypress via node on a restrictive network at a large corp, I receive the following error:

 The Cypress App could not be downloaded.

Please check network connectivity and try again:
----------

URL: https://download.cypress.io/desktop/2.0.2?platform=darwin&arch=x64 …
Error: unable to get local issuer certificate
----------

Platform: darwin (16.7.0)
Cypress Version: 2.0.2

Accessing the link directly works. Also I can WGET and Curl the link without issue.

I tried setting NODE_TLS_REJECT_UNAUTHORIZED=0 but that didn't seem to resolve the issue. My corporate security team asked:

They using their own CA store in the downloader? NODE_TLS_REJECT_UNAUTHORIZED=0 usually fixes that unless they use their own CA bundle, which would 100% break in our environment."

[brian-mann]

We do not issue our own CA store.

https://download.cypress.io has a normal cert issued by Cloudflare.

[bahmutov]

Yeah, it might be your own network proxy that acts like man in the middle while downloading from external sources (at least that's my understanding from reading reports about such issues here nodejs/help#979)

[amcdnl]

@bahmutov - I do believe something like that is going on. When I dump my npm config I have this setup:

; cli configs
metrics-registry = "http://dps.dev.meeeee.net/nexus-3/repository/npm-all/"
scope = ""
user-agent = "npm/5.6.0 node/v8.9.0 darwin x64"

; userconfig /Users/eeeee/.npmrc
@meeeee = "http://nexus.dev.meeeee.net:8082/repository/ecms/"
@mc:registry = "http://dps.dev.meeeeee.net/nexus-3/repository/npm-internal/"
NODE_TLS_REJECT_UNAUTHORIZED = "0"
registry = "http://dps.dev.meeeeeee.net/nexus-3/repository/npm-all/"

; node bin location = /Users/eeeee/.nvm/versions/node/v8.9.0/bin/node
; cwd = /Users/eeeee/dev/my
; HOME = /Users/eeeee
; "npm config ls -l" to show all defaults.

[davidsteinsland]

Yes it's because corporate proxies usually encrypts the traffic using a self-signed certificate. See #1401 for more details.

[jennifer-shehane]

Since this issue hasn't had activity in a while, we'll close the issue until we can confirm this is still happening. Please comment if there is new information to provide concerning the original issue and we'd be happy to reopen.

[chauhansumit12]

npm install cypress is failing, I am using windows 10 64 bit and our company uses zscaler ,Can someone help ?
Installing Cypress (version: 7.7.0)

The Cypress App could not be downloaded.

Does your workplace require a proxy to be used to access the Internet? If so, you must configure the HTTP_PROXY environment variable before downloading Cypress. Read more: https://on.cypress.io/proxy-configuration

Otherwise, please check network connectivity and try again:

---

URL: https://download.cypress.io/desktop/7.7.0?platform=win32&arch=x64
Error: unable to get local issuer certificate

---

Platform: win32 (10.0.18363)
Cypress Version: 7.7.0
npm WARN TODOMVC-TESTS@1.0.0 No description
npm WARN TODOMVC-TESTS@1.0.0 No repository field.

[pjobson]

If you run into this problem due to corp firewall rules and are using WSL, you can do this to work around. Change the version as needed.

wget --no-check-certificate https://cdn.cypress.io/desktop/9.5.3/linux-x64/cypress.zip -O ~/cypress.zip
CYPRESS_INSTALL_BINARY=~/cypress.zip npm install cypress --save-dev

[helloworld121]

o corp firewall rules and are using WSL, you ca

Hi @chauhansumit12,
I am facing the same issue did you found a solution for this?

Currently I am working with "CYPRESS_INSTALL_BINARY" but for ci/cd this feels like a messy crutch. Because running e2e tests in a pipeline is most important, we discuss to switch to testcafe...

Best regards.

[pjobson]

helloworld121 you can install your own certificate for cdn.cypress.io like this abstraction from part of a bash script I wrote.

port=443
trust_cert_file_location=`curl-config --ca`

hostname="cdn.cypress.io"
bash -c "echo -n | openssl s_client -showcerts -connect $hostname:$port -servername $hostname 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $trust_cert_file_location"

[helloworld121]

Hi @pjobson,
thank you for the quick answer.

I installed custom certificates using "update-ca-certificates". And installing npm packages works fine.
Just the case that @amcdnl described failed also in my environment. Downloading the cypress app.

npm ERR! command failed
npm ERR! command sh -c node index.js --exec install
npm ERR! Installing Cypress (version: 10.3.1)
npm ERR! 
npm ERR! [STARTED] Task without title.
npm ERR! The Cypress App could not be downloaded.
npm ERR! 
npm ERR! Does your workplace require a proxy to be used to access the Internet? If so, you must configure the HTTP_PROXY environment variable before downloading Cypress. Read more: https://on.cypress.io/proxy-configuration
npm ERR! 
npm ERR! Otherwise, please check network connectivity and try again:
npm ERR! 
npm ERR! ----------
npm ERR! 
npm ERR! URL: https://download.cypress.io/desktop/10.3.1?platform=linux&arch=x64
npm ERR! Error: unable to get local issuer certificate
npm ERR! 
npm ERR! ----------
npm ERR! 
npm ERR! Platform: linux-x64 (Alpine Linux - 3.16.0)
npm ERR! Cypress Version: 10.3.1
npm ERR! [FAILED] The Cypress App could not be downloaded.
npm ERR! [FAILED] 
npm ERR! [FAILED] Does your workplace require a proxy to be used to access the Internet? If so, you must configure the HTTP_PROXY environment variable before downloading Cypress. Read more: https://on.cypress.io/proxy-configuration
npm ERR! [FAILED] 
npm ERR! [FAILED] Otherwise, please check network connectivity and try again:
npm ERR! [FAILED] 
npm ERR! [FAILED] ----------
npm ERR! [FAILED] 
npm ERR! [FAILED] URL: https://download.cypress.io/desktop/10.3.1?platform=linux&arch=x64
npm ERR! [FAILED] Error: unable to get local issuer certificate
npm ERR! [FAILED] 
npm ERR! [FAILED] ----------
npm ERR! [FAILED] 
npm ERR! [FAILED] Platform: linux-x64 (Alpine Linux - 3.16.0)
npm ERR! [FAILED] Cypress Version: 10.3.1

I have no idea why this is a problem.
By the way, I can download cypress using wget and calling the url printed in the error.

[pjobson]

@helloworld121

This stackoverflow answer may be better for you than my other answer. I'm not sure how NPM manages certificates, maybe it doesn't use the OS's. Good luck!

https://stackoverflow.com/a/30341389/209003

[adjenks]

If you run into this problem due to corp firewall rules and are using WSL, you can do this to work around. Change the version as needed.

wget --no-check-certificate https://cdn.cypress.io/desktop/9.5.3/linux-x64/cypress.zip -O ~/cypress.zip
CYPRESS_INSTALL_BINARY=~/cypress.zip npm install cypress --save-dev

Be careful when using options like --no-check-certificate. It's basically saying, "download the file with your eyes closed". It's a dangerous workaround that allows a window for hackers. It's not likely you'll get hacked, but it's bad practice to disable security to "just make things work".

[adjenks]

Okay, so I think I figured it out for myself. I am behind a corporate firewall and need to set custom ca certificates.

Based on this function when cypress downloads itself it attempts to use the npm ca or cafile settings from process.env, however, on my system and apparently other people's process.env is not populated by the .npmrc that is configured with npm config set. process.env is only the result of the environment variables, which npm also uses but doesn't use alone.

To address the issue I had to run these two lines:

export npm_config_cafile=/etc/pki/tls/certs/ca-bundle.crt
export CYPRESS_DOWNLOAD_USE_CA=1

This sets the bash environment variables which will be read correctly by cypress' postInstall. So even if you run npm config get cafile and it returns an answer, if you do not set these environment variables as well, cypress will fail. You can check this before setting the variables by running. node -e "console.log(process.env)" and looking for settings prefixed with npm_config_. When I tried this, I could not find the relevant variables until setting them using export.

node doesn't provide a builtin package to get the settings inside of itself by default, but a user named kevva seems to have created a package to get settings the same way npm does. It was forked and is now more recently maintained by the pnpm project here though.

If cypress would like to use it, it works like this after you install it:
node -e "require('@pnpm/npm-conf')().config.get('cafile')"

It seems like this kind of problem comes up a lot:
#17238
#1401
#7107

Good luck everyone.

[flajann2]

I am getting this error despite having certs installed.

/bin/curl -o /nix/npm.certs.pem https://curl.se/ca/cacert.pem
/bin/npm config set cafile /nix/npm.certs.pem
export SSL_CERT_FILE="/nix/npm.certs.pem"
...
npm ERR! ----------
npm ERR!
npm ERR! URL: https://download.cypress.io/desktop/13.3.3?platform=linux&arch=x64
npm ERR! Error: unable to get local issuer certificate
npm ERR!
npm ERR! ----------

As you can see, I both register the certs with npm and set the environment variable. It cleared up all other cert problems beside this one. And I am not behind a corporate firewall.

Please reopen.