This error occurs when npm can't verify the SSL certificate when cloning a Git dependency. Usually caused by corporate proxies, self-signed certificates, or outdated CA certificates.
When npm tries to clone a Git dependency over HTTPS, it verifies the server's SSL certificate. This error means the certificate couldn't be verified—either because a corporate proxy is intercepting the connection, the certificate is self-signed, or the system's certificate store is outdated. This is extremely common in corporate environments where security proxies inspect HTTPS traffic by injecting their own certificates. It can also occur with private Git servers that use self-signed certificates. The error often shows specific details like "unable to get local issuer certificate" or "certificate verify failed."
First, determine if this is a corporate proxy issue:
# Test direct git access
git clone https://github.com/user/repo.git
# Check what certificate is being served
openssl s_client -connect github.com:443 -servername github.comIf the certificate issuer looks like your company (not DigiCert or similar), it's likely a corporate proxy.
If your company uses SSL inspection, get the CA certificate from IT and configure Node.js to trust it:
# Set environment variable to add extra CA certificates
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem
# Make it permanent in your shell profile
echo 'export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem' >> ~/.bashrcFor Windows:
set NODE_EXTRA_CA_CERTS=C:\path\to\corporate-ca.pemTell Git to trust the certificate:
# For specific repository
git config http.sslCAInfo /path/to/corporate-ca.pem
# Or globally
git config --global http.sslCAInfo /path/to/corporate-ca.pemOn Windows, use the native certificate store:
git config --global http.sslBackend schannelIf you're behind a corporate proxy:
npm config set proxy http://proxy.company.com:8080
npm config set https-proxy http://proxy.company.com:8080After configuring certificates:
rm -rf node_modules package-lock.json
npm cache clean --force
npm installNever Disable SSL in Production: Disabling SSL verification (npm config set strict-ssl false or git config http.sslVerify false) opens you to man-in-the-middle attacks. Only use these temporarily to diagnose issues, never in CI/CD or production.
NODE_EXTRA_CA_CERTS vs cafile: NODE_EXTRA_CA_CERTS adds to the existing trusted certificates, while npm config set cafile replaces them. Always prefer NODE_EXTRA_CA_CERTS.
Getting Corporate Certificates:
1. Ask your IT department for the CA certificate in PEM format
2. Export from browser: visit any HTTPS site, view certificate, export the root CA
3. On Windows, export from certmgr.msc
Certificate Format: The certificate must be in PEM format (starts with -----BEGIN CERTIFICATE-----). Convert from other formats:
openssl x509 -inform der -in certificate.cer -out certificate.pemnpm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error