SSL Error: CERT_UNTRUSTED on dotCloud

Question

I'm seeing the following error when deploying a Node.js service on dotCloud:

23:03:59.958870: [www] npm ERR! Error: SSL Error: CERT_UNTRUSTED
23:03:59.959405: [www] npm ERR!     at ClientRequest.<anonymous> (/opt/node/v0.8.3/lib/node_modules/npm/node_modules/request/main.js:440:26)
23:03:59.959736: [www] npm ERR!     at ClientRequest.g (events.js:185:14)
23:03:59.960068: [www] npm ERR!     at ClientRequest.EventEmitter.emit (events.js:88:17)
23:03:59.960399: [www] npm ERR!     at HTTPParser.parserOnIncomingClient [as onIncoming] (http.js:1445:7)
23:03:59.968852: [www] npm ERR!     at HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:111:23)
23:03:59.969361: [www] npm ERR!     at CleartextStream.socketOnData [as ondata] (http.js:1356:20)
23:03:59.969696: [www] npm ERR!     at CleartextStream.CryptoStream._push (tls.js:396:27)
23:03:59.970028: [www] npm ERR!     at SecurePair.cycle (tls.js:750:20)
23:03:59.970359: [www] npm ERR!     at EncryptedStream.CryptoStream.write (tls.js:131:13)
23:03:59.970694: [www] npm ERR!     at Socket.ondata (stream.js:38:26)
23:03:59.971012: [www] npm ERR! If you need help, you may report this log at:
23:03:59.971299: [www] npm ERR!     <http://github.com/isaacs/npm/issues>
23:03:59.971587: [www] npm ERR! or email it to:
23:03:59.971876: [www] npm ERR!     <npm-@googlegroups.com>
23:03:59.972208: [www]
23:03:59.972543: [www] npm ERR! System Linux 2.6.38.2-grsec-dotcloud-ec2
23:03:59.972852: [www] npm ERR! command "node" "/opt/node/default/bin/npm" "install"
23:03:59.973251: [www] npm ERR! cwd /home/dotcloud/rsync-1388703750593/app
23:03:59.973584: [www] npm ERR! node -v v0.8.3
23:03:59.973914: [www] npm ERR! npm -v 1.1.44
23:04:00.331100: [www] npm ERR!
23:04:00.331630: [www] npm ERR! Additional logging details can be found in:
23:04:00.331955: [www] npm ERR!     /home/dotcloud/rsync-1388703750593/app/npm-debug.log
23:04:00.332280: [www] npm ERR! not ok code 0
23:04:01.058860: [www] -- Build failed: "npm install" failed with return code 1

Answer 1

I found the following SO question that seems to suggest some of the npm packages might be using self-signed certificates, causing the error. It seems like the root fix should be with the package itself, using a registered certificate. However, as a workaround for dotCloud, you could use a pre-build hook to run the following command npm config set strict-ssl false which seemed to work in my testing.

To use this approach you'd do the following:

1) add a prebuild directive to your dotcloud.yml file. Your dotcloud yml file might look like the following:

www:
    type: nodejs
    approot: app
    processes:
        app: node app.js
    config:
        node_version: v0.8.x
    prebuild: ./prebuild.sh     # <-- prebuild directive
redis:
    type: redis

2) add the prebuild.sh file to whereever your application root is. If you don't use an app root, this is just the root of your project.

3) add the following to your prebuild.sh file

#!/bin/bash
npm config set strict-ssl false

Answer 2

Either update your node/npm (preferred), or run npm config set ca null.

They changed certificate at npmjs.org recently because old one is expired, but your npm has old one hardcoded into it.

PS: setting strict-ssl to false is an extremely bad idea, unless you know what are you doing.

Answer 3

According to the npm blog, the preferred solution is to re-install npm like this:

#!/bin/bash
set -e
npm install npm@">1.4.0" -g --ca=null

That will also work on the dotCloud platform. You can use that snippet as your prebuild.sh script and then the rest of your packages should install fine. The @">1.4.0" syntax just makes it so once you have a new enough version installed, you don't keep updating unnecessarily. If you want something newer, feel free to change it. If you always want the latest version of npm, feel free to remove @">1.4.0" altogether.