npm "self-signed certificate in certificate chain" - Fix in CI
This TLS error means Node could not verify the registry’s certificate against its trust store - typically because a corporate proxy or private registry presents a certificate signed by a CA Node does not trust.
What this error means
npm fails fetching from the registry with self-signed certificate in certificate chain or UNABLE_TO_GET_ISSUER_CERT_LOCALLY. It happens behind TLS-intercepting proxies or against a private registry with a custom CA.
npm error code SELF_SIGNED_CERT_IN_CHAIN
npm error request to https://registry.internal/.../pkg failed,
reason: self-signed certificate in certificate chainCommon causes
A TLS-inspecting proxy re-signs traffic
Corporate egress proxies decrypt and re-encrypt HTTPS with their own CA. Node does not trust that CA by default, so verification fails.
A private registry uses a custom CA
An internal registry served with a non-public CA certificate is not in Node’s bundled trust store.
How to fix it
Trust the CA properly
Add the corporate/private CA to Node’s trust store rather than disabling TLS.
# point Node at the extra CA bundle
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/corp-ca.pem
npm ciConfigure npm to use the CA file
- Set
npm config set cafile /path/to/corp-ca.pem. - Install the CA into the runner image so it is available to all tools.
- Verify the registry hostname matches the certificate.
How to prevent it
- Bake the corporate/private CA into CI images.
- Use NODE_EXTRA_CA_CERTS rather than disabling strict-ssl.
- Keep registry certificates valid and matched to their hostname.