Node unable to verify the first certificate

Question

Suddenly my Node environments start not to install packages and they are freezing in idealTree:my-app : sill idealTree buildDeps

I tried npm config set registry http://registry.npmjs.org/ --global but did not work,

I had to use npm set strict-ssl false to make it work (I am not sure if it's safe?)

And then I started to getting this error as I am running dev server

 Error: unable to verify the first certificate
      at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
      at TLSSocket.emit (node:events:519:28)
      at TLSSocket._finishInit (node:_tls_wrap:1085:8)
      at ssl.onhandshakedone (node:_tls_wrap:871:12) {
    code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'

Environment: Node 21.6.1 Nextjs 14.1.0 React 18.2.0 NPM 10.2.4

Does anyone see the same? An in general why this is happening without changing dependencies?

Answer 1

Not sure if it's your case but looks very similar to what I started encountering around the same time as you (not only for npm but also for webpack-dev-server proxy and other things). Only now I managed to find out that it got broken after yesterday's update of ESET NOD32 Antivirus. There's already a report about it - https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps/.

The permanent solution will probably come from a NOD32 update but we'll see.

Solution for now is to turn off Enable HTTPS traffic scanning switcher in the settings to make NOD32 not scan communicating over SSL/TLS. Alternatively you can add particular apps into the ignore list if you still want to keep it scanning.

P.S. npm set strict-ssl false is an unsafe workaround for npm specifically and it's usually not the root of this kind of problems so it's better to set it back to true.

Answer 2

Not me who created these instructions but apparently you can convert the Eset SSL cert and add it as an extra Node cert. I have not tested it myself.

https://github.com/the-last-byte/ESET-NPM-Breakage-Fix