npmca

npm add root CA


I am looking for a way to add a custom CA to NPM so I can download from a location using said certificate (an internal git-server) without having to nuke all CA-checking with

npm config set strict-ssl false

Is there any way of achieving this or not? (if not: is there already a defect?)


Solution

  • You can point npm to a cafile

    npm config set cafile /path/to/cert.pem
    

    You can also configure ca string(s) directly.

    npm config set ca "cert string"
    

    ca can be an array of cert strings too. In your .npmrc:

    ca[]="cert 1 base64 string"
    ca[]="cert 2 base64 string"
    

    The npm config commands above will persist the relevant config items to your ~/.npmrc file:

    cafile=/path/to/cert.pem
    

    Note: these CA settings will override the default "real world" certificate authority lookups that npm uses. If you try and use any public npm registries via https that aren't signed by your CA certificate, you will get errors.

    So, if you need to support both public https npm registries as well as your own, you could use curl's Mozilla based CA bundle and append your CA cert to the cacert.pem file:

    curl -o ~/.npm.certs.pem https://curl.se/ca/cacert.pem
    cat my-ca-cert.pem >> ~/.npm.certs.pem
    npm config set cafile ~/.npm.certs.pem
    

    Unfortunately npm's CA bundle is not editable as it's provided in the source code (thanks tomekwi) but nitzel has provided a generic Node.js method to append a certificate via the NODE_EXTRA_CA_CERTS environment variable.

    RHEL Note: If you happen to be using a RHEL based distro and the RHEL packaged nodejs/npm you can use the standard update-ca-trust method as RedHat points their packages at the system CA's.