The "unable to get issuer certificate" error occurs when npm cannot verify the SSL/TLS certificate chain for the registry. This is commonly caused by corporate proxies performing SSL inspection or missing CA certificates.
This SSL/TLS error indicates that npm received a certificate from the registry but cannot verify it because the issuer (Certificate Authority) certificate is not in the trusted certificate store. The certificate chain is incomplete - npm has the end certificate but cannot trace it back to a trusted root CA. This commonly happens in corporate environments where a proxy intercepts HTTPS traffic and re-signs it with a corporate CA certificate that is not in Node.js's trust store.
Check what certificate npm is receiving:
openssl s_client -connect registry.npmjs.org:443 -showcertsLook at the certificate chain. If it shows your company's name, you're behind an SSL-inspecting proxy.
Export the CA certificate from your browser:
1. Open https://registry.npmjs.org in browser
2. Click the lock icon > Certificate > Details
3. Find the root CA certificate
4. Export as PEM/CRT format
5. Save as corporate-ca.crt
Add the corporate CA to npm's trusted certificates:
npm config set cafile /path/to/corporate-ca.crtOr set via environment variable:
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.crtAdd the corporate CA system-wide:
# Ubuntu/Debian
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# CentOS/RHEL
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain corporate-ca.crtAs a last resort for testing only:
npm config set strict-ssl falseā ļø This disables certificate verification entirely and should only be used temporarily. It exposes you to man-in-the-middle attacks.
Many companies provide internal npm mirrors:
npm config set registry https://npm.internal.company.comThis often bypasses SSL inspection issues.
In CI/CD pipelines, mount the corporate CA certificate and set NODE_EXTRA_CA_CERTS. For Docker builds, use a base image that includes your corporate CAs or COPY the certificate and run update-ca-certificates. Some proxy solutions like Zscaler or corporate firewalls require specific client certificates - work with your IT security team. Never distribute strict-ssl=false configurations to production systems.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error