Skip to content
Latchkey

npm "self-signed certificate in certificate chain" - Fix in CI

This TLS error means Node could not verify the registry’s certificate against its trust store - typically because a corporate proxy or private registry presents a certificate signed by a CA Node does not trust.

What this error means

npm fails fetching from the registry with self-signed certificate in certificate chain or UNABLE_TO_GET_ISSUER_CERT_LOCALLY. It happens behind TLS-intercepting proxies or against a private registry with a custom CA.

npm output
npm error code SELF_SIGNED_CERT_IN_CHAIN
npm error request to https://registry.internal/.../pkg failed,
reason: self-signed certificate in certificate chain

Common causes

A TLS-inspecting proxy re-signs traffic

Corporate egress proxies decrypt and re-encrypt HTTPS with their own CA. Node does not trust that CA by default, so verification fails.

A private registry uses a custom CA

An internal registry served with a non-public CA certificate is not in Node’s bundled trust store.

How to fix it

Trust the CA properly

Add the corporate/private CA to Node’s trust store rather than disabling TLS.

Terminal
# point Node at the extra CA bundle
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/corp-ca.pem
npm ci

Configure npm to use the CA file

  1. Set npm config set cafile /path/to/corp-ca.pem.
  2. Install the CA into the runner image so it is available to all tools.
  3. Verify the registry hostname matches the certificate.

How to prevent it

  • Bake the corporate/private CA into CI images.
  • Use NODE_EXTRA_CA_CERTS rather than disabling strict-ssl.
  • Keep registry certificates valid and matched to their hostname.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →