Home > Enterprise >  SSL unsafe legacy renegotiation disabled
SSL unsafe legacy renegotiation disabled

Time:11-15

I have found other posts with this error on code side and some that give some workarounds that in theory should work for the package manager but none seem to work.

I have had NPM working previously and I'm not sure what changed recently that broke it.

I'm trying to install better-sqlite3 in this instance.

request to https://registry.npmjs.org/better-sqlite3 failed, reason: write EPROTO 7C720000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:908:

My initial thought on seeing this was to disable strict-ssl, which I know isn't best option, but is the one I was aware of. That didn't fix the issue.

I've also tried exporting random (becuase I don't know which to pick and there are 3 of them) root certificates for my company from chrome into a folder and then adding npm config set cafile path/to/file but that doesn't seem to work

I've also tried NODE_OPTIONS=--tls-min-v1.0 and NODE_OPTIONS=--use-openssl-ca

I know I'm going to get a lot of not-great options that aren't secure, and I'd rather go with secure options, but the directions provided are frequently not clear to me, maybe because I lack some knowledge about these utilities that others have.

I can get to everywhere via my browser, is there anyway to manually download materials and cache it somewhere for npm? This can be helpful in some situations as well, but I have no idea how to do it.

Latest error (along with what is successful). This is after I used openssl command to find the certificate actually being pulled back, and then adding that to the npm configuration (both global and user).

npm http fetch GET 200 https://registry.npmjs.org/rc 70373ms (cache stale)
npm verb type system
npm verb stack FetchError: request to https://registry.npmjs.org/minimist failed, reason: write EPROTO 08840000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:908:
npm verb stack
npm verb stack     at ClientRequest.<anonymous> (C:\Program Files\nvm\v19.0.0\node_modules\npm\node_modules\minipass-fetch\lib\index.js:130:14)
npm verb stack     at ClientRequest.emit (node:events:513:28)
npm verb stack     at TLSSocket.socketErrorListener (node:_http_client:488:9)
npm verb stack     at TLSSocket.emit (node:events:525:35)
npm verb stack     at emitErrorNT (node:internal/streams/destroy:151:8)
npm verb stack     at emitErrorCloseNT (node:internal/streams/destroy:116:3)
npm verb stack     at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
npm verb cwd c:\BitBucket\test
npm verb Windows_NT 10.0.19044
npm verb node v19.0.0
npm verb npm  v9.1.1
npm ERR! code EPROTO
npm ERR! syscall write
npm ERR! errno EPROTO
npm ERR! request to https://registry.npmjs.org/minimist failed, reason: write EPROTO 08840000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:908:
npm ERR!

After spending my entire evening up to 1 AM on this I was able to get npm itself working by cleaning out all of my settings for npm and then re-setting each of them, strict-ssl false is back now, the certificate is set also, but since not everything would work right with it I had to do strict-ssl false anyway :/

I had to add my proxy settings back even though I think in theory it's not supposed to be needed because I could fetch some things without it set, but apparently not everything.

Now, the only issue I'm having is with node-gyp. Everything else can pull packages with current config, curl, npm, I even added yarn and got it working, but node-gyp consistently errors out with this inane error

npm ERR! gyp ERR! stack FetchError: request to https://nodejs.org/download/release/v19.0.0/node-v19.0.0-headers.tar.gz failed, reason: unable to get local issuer certificate

So infuriating.

CodePudding user response:

There was an internal repository/mirror setup within my company, so unfortunately the answer here won't apply for others, but all I had to do was retain my strict-ssl false type of settings and setup their repository.

  • Related