Node.js "unable to get local issuer certificate" (NODE_EXTRA_CA_CERTS) in CI
Node reports "unable to get local issuer certificate" when it cannot find the CA that issued the server certificate among its trusted roots. Node ships its own root bundle and does not read the system store by default, so a CA the OS trusts may still be invisible to Node. The clean fix is to point Node at the issuing CA with NODE_EXTRA_CA_CERTS.
What this error means
A Node HTTPS call fails with "unable to get local issuer certificate", even though curl to the same host works after the system CA store was updated.
Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1544:34)
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'Common causes
Node does not read the system trust store
Node uses its own bundled roots. A CA added to the OS store with update-ca-certificates is not picked up by Node unless you point it there.
The issuing CA is a proxy or internal root
A MITM proxy or internal CA issued the certificate, and that root is not in Node's bundled set.
How to fix it
Set NODE_EXTRA_CA_CERTS
- Ensure the issuing CA (or full system bundle) is available as a PEM file.
- Export NODE_EXTRA_CA_CERTS pointing at it before running Node.
- Re-run the process; Node now trusts that CA in addition to its bundled roots.
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
node script.jsSet it once for the whole job
Define the variable at the job level so every Node and npm step in the job trusts the CA.
env:
NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crtHow to prevent it
- Set NODE_EXTRA_CA_CERTS in CI whenever a proxy or internal CA is in the path.
- Keep the referenced bundle updated alongside the system trust store.
- Remember Node ignores the OS store unless explicitly pointed at it.