Node.js "unable to verify the first certificate" - Fix Incomplete Chains
Node could not build a complete trust chain because the server did not send its intermediate certificate. Unlike a self-signed CA, the root is trusted - the chain just has a gap that the server (or your config) must fill.
What this error means
An HTTPS request or npm install fails with unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE). It often appears against a private registry or proxy whose server is misconfigured to omit the intermediate.
npm error code UNABLE_TO_VERIFY_LEAF_SIGNATURE
npm error request to https://registry.internal/... failed,
reason: unable to verify the first certificateCommon causes
Server sends an incomplete certificate chain
The TLS server presents its leaf certificate but omits the intermediate CA that links it to a trusted root. Node cannot complete the chain, so verification fails.
The intermediate is not in the runner’s trust store
When the server will not send the intermediate, the client must already have it. A minimal runner image without that intermediate cannot verify the leaf.
How to fix it
Fix the server to send the full chain
The proper fix is server-side: configure the registry/proxy to present leaf + intermediate(s). Verify what it actually sends.
# inspect the chain the server presents
openssl s_client -connect registry.internal:443 -showcertsSupply the intermediate to the client
If you cannot change the server, provide the missing intermediate (and root) to Node and npm as an extra CA file.
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/intermediate-bundle.pem
npm config set cafile /etc/ssl/certs/intermediate-bundle.pem
npm ciHow to prevent it
- Configure TLS servers to present the full chain (leaf + intermediates).
- Bundle required intermediates into runner images via
NODE_EXTRA_CA_CERTS. - Test the chain with
openssl s_client -showcertswhen adding a new private host.