The "unable to get issuer certificate" error occurs when npm cannot verify the SSL/TLS certificate chain for the registry. This is commonly caused by corporate proxies performing SSL inspection or missing CA certificates.
This SSL/TLS error indicates that npm received a certificate from the registry but cannot verify it because the issuer (Certificate Authority) certificate is not in the trusted certificate store. The certificate chain is incomplete - npm has the end certificate but cannot trace it back to a trusted root CA. This commonly happens in corporate environments where a proxy intercepts HTTPS traffic and re-signs it with a corporate CA certificate that is not in Node.js's trust store.
Check what certificate npm is receiving:
openssl s_client -connect registry.npmjs.org:443 -showcertsLook at the certificate chain. If it shows your company's name, you're behind an SSL-inspecting proxy.
Export the CA certificate from your browser:
1. Open https://registry.npmjs.org in browser
2. Click the lock icon > Certificate > Details
3. Find the root CA certificate
4. Export as PEM/CRT format
5. Save as corporate-ca.crt
Add the corporate CA to npm's trusted certificates:
npm config set cafile /path/to/corporate-ca.crtOr set via environment variable:
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.crtAdd the corporate CA system-wide:
# Ubuntu/Debian
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# CentOS/RHEL
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain corporate-ca.crtAs a last resort for testing only:
npm config set strict-ssl falseā ļø This disables certificate verification entirely and should only be used temporarily. It exposes you to man-in-the-middle attacks.
Many companies provide internal npm mirrors:
npm config set registry https://npm.internal.company.comThis often bypasses SSL inspection issues.
In CI/CD pipelines, mount the corporate CA certificate and set NODE_EXTRA_CA_CERTS. For Docker builds, use a base image that includes your corporate CAs or COPY the certificate and run update-ca-certificates. Some proxy solutions like Zscaler or corporate firewalls require specific client certificates - work with your IT security team. Never distribute strict-ssl=false configurations to production systems.
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm
npm ERR! code EUSAGE npm ERR! Usage error
How to fix "npm ERR! code EUSAGE" in Node.js projects
npm ERR! code E401 npm ERR! 401 Unauthorized
How to fix "E401 Unauthorized" in npm