dockernpmssl-certificate

npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY in docker behind corporate firewall


I am getting an error running npm as root in a Dockerfile.

 > [runner  5/10] RUN npm install --global pm2:
#0 71.79 npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

We have an antivirus/corporate firewall that we can't turn off, which substitutes SSL certificates to inspect traffic.

My problem is that because npm install --global pm2 is running as root, it does not honor export NODE_EXTRA_CA_CERTS=/path/to/my-cacert.crt.

I tried with RUN npm config set cafile /path/to/my-cacert.crt, but that also didn't work for some reason.

How can I fix UNABLE_TO_GET_ISSUER_CERT_LOCALLY when running npm as root in a docker container?

This dockerfile reproduces the issue:

FROM node:alpine AS deps

COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt

RUN npm install --global pm2

Solution

  • If You post your Dockerfile it will be helpful,

    but there are multiple options for You.

    1- instead of using export set your NODE_EXTRA_CA_CERTS with ARG option in dockerfile, it will be used for all users does not matter if You change your user between builds like this:

    FROM node:alpine AS deps
    
    ARG NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
    
    COPY my.crt /usr/local/share/ca-certificates/
    RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
    
    RUN npm install --global pm2
    

    But if You set a variable with export it will be used just for that RUN entry which You used export. Remember if You are doing multi stage build ARG is scoped to their stage, and if You need to set this in different stages, You have to use your ARG in each stage.

    2- to use http instead of https(it is not secure but usable). You can set it within your configuration like: npm config set registry http://registry.npmjs.org/

    3- add your CA certificate to trusted certificates within your Dockerfile like:

    ...
    COPY ca.crt /usr/local/share/ca-certificates/ca.crt
    RUN apt update && \
      apt install -y ca-certificates && \
      update-ca-certificates
    ...