Fix npm Error Code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Nitin

5 months ago

Encountering the npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY error can feel like hitting a brick wall in your development workflow. As an expert software developer, I’ve seen this issue pop up often, especially when working behind corporate firewalls or on systems with tricky network configurations. But don’t worry—this guide will walk you through everything you need to know about this error in 2025, from what causes it to the safest and most effective ways to fix it. We’ll keep it clear, engaging, and optimized for search engines, so you can get back to coding fast.

What Is the npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY Error?

The UNABLE_TO_GET_ISSUER_CERT_LOCALLY error happens when npm (Node Package Manager) can’t verify the SSL/TLS certificate of a server it’s trying to connect to, usually the npm registry (https://registry.npmjs.org). In simple terms, npm is saying, “I don’t trust this server because I can’t confirm its identity.”

This error typically shows up when you run commands like npm install, npm update, or npm publish. The error message might look something like this:

npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! unable to get local issuer certificate
npm ERR! request to https://registry.npmjs.org/<package> failed

It’s frustrating, but it’s usually caused by a hiccup in how your system handles SSL certificates. Let’s break it down and fix it step by step.

Why Does This Error Happen?

Before jumping to solutions, it’s worth understanding the root causes. This error is tied to SSL/TLS, the tech that keeps internet connections secure. When npm tries to fetch a package over HTTPS, it checks the server’s certificate to ensure it’s legit. If it can’t verify the certificate’s issuer (the Certificate Authority, or CA), it throws this error. Here are the most common reasons in 2025:

Corporate Firewalls or Proxies: Many companies use firewalls or proxies (like Zscaler) that swap out SSL certificates to monitor traffic. This can confuse npm because the certificate doesn’t match the expected CA.
Missing or Outdated CA Certificates: Your system might not have the right root or intermediate certificates to trust the npm registry.
Self-Signed Certificates: If the server uses a self-signed certificate (common in internal networks), npm won’t trust it by default.
Misconfigured npm Settings: Incorrect settings in your .npmrc file or environment variables can break certificate validation.
Outdated Node.js/npm Versions: Older versions might not support newer SSL/TLS protocols or certificate chains.
VPN or Network Issues: Some VPNs or network setups interfere with certificate verification.

Understanding the cause helps you pick the right fix—and avoid breaking something else!

How to Fix npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY Error

Let’s dive into the solutions, starting with the safest and most recommended approaches. I’ll also warn you about risky workarounds and explain why they’re not ideal for production environments. Follow these steps in order, testing after each one to see if the issue is resolved.

1. Update Node.js and npm to the Latest Versions

Outdated versions of Node.js or npm can struggle with modern SSL/TLS requirements. In 2025, Node.js and npm are regularly updated to handle certificate chains correctly.

Steps:

Check your current versions:
bash node -v npm -v
Update Node.js to the latest stable version (e.g., v20.x or v22.x as of 2025). Use a version manager like nvm for flexibility:
bash nvm install node nvm use node
Update npm globally:
bash npm install -g npm@latest

Why It Works: Newer versions include updated CA bundles and better TLS support, fixing many certificate issues.
Test: Run npm install again to check if the error persists.

2. Verify Your Network and Disable VPN (Temporarily)

If you’re behind a corporate firewall or using a VPN, it might be swapping certificates or blocking HTTPS traffic.

Steps:

Temporarily disconnect from your VPN (if safe to do so).
Try running npm install on a different network (e.g., a personal hotspot) to isolate the issue.
If you’re in a corporate environment, contact your network admin to confirm if a proxy like Zscaler is in use.

Why It Works: VPNs or proxies can intercept SSL traffic, replacing certificates with ones npm doesn’t recognize.
Test: Run npm install after switching networks.

3. Add Your Company’s CA Certificate

If you’re behind a corporate proxy, it might use a custom certificate. You can tell Node.js to trust it by adding it to the trusted certificate store.

Steps:

Ask your network admin for the proxy’s root CA certificate (usually a .pem or .cer file).
Set the NODE_EXTRA_CA_CERTS environment variable to point to the certificate:
- Linux/macOS:
  bash export NODE_EXTRA_CA_CERTS="/path/to/your/cert.pem"
- Windows (CMD):
  bash set NODE_EXTRA_CA_CERTS=C:\path\to\your\cert.pem
- Windows (PowerShell):
  bash $env:NODE_EXTRA_CA_CERTS="C:\path\to\your\cert.pem"
To make this permanent, add it to your .bashrc, .zshrc, or system environment variables.
Alternatively, configure npm to use the certificate:
bash npm config set cafile /path/to/your/cert.pem

Why It Works: This tells Node.js and npm to trust your company’s proxy certificate, fixing the verification error.
Test: Run npm install to confirm.

4. Update System CA Certificates

Your system might be missing or have outdated CA certificates, especially on older Linux distributions or stripped-down environments.

Steps:
Linux (Ubuntu/Debian):
bash sudo apt-get update sudo apt-get install --reinstall ca-certificates sudo update-ca-certificates
Linux (Red Hat/CentOS):
bash sudo yum reinstall ca-certificates sudo update-ca-trust
macOS: macOS usually manages certificates automatically, but you can update via system updates:
bash softwareupdate --install --all
Windows: Windows updates typically include CA certificate updates. Run: certutil -generateSSTFromWU roots.sst certutil -addstore -f Root roots.sst
Why It Works: Ensures your system trusts the latest root CAs used by the npm registry.
Test: Run npm install again.

5. Switch to HTTP Registry (Temporary Workaround)

If you can’t resolve the certificate issue immediately, you can tell npm to use the HTTP version of the registry instead of HTTPS.

Steps:

Set the npm registry to HTTP:
bash npm config set registry http://registry.npmjs.org
Run your npm command (e.g., npm install).
After resolving the issue, switch back to HTTPS for security:
bash npm config set registry https://registry.npmjs.org

Why It Works: HTTP skips SSL verification entirely, bypassing the certificate error.
Warning: This is insecure because it exposes you to man-in-the-middle (MITM) attacks. Use it only as a last resort in a trusted environment and revert to HTTPS ASAP.
Test: Check if npm install works.

6. Disable Strict SSL (Risky, Avoid in Production)

You can tell npm to skip strict SSL validation, but this is a temporary and insecure fix.

Steps:

Disable strict SSL:
bash npm config set strict-ssl false
Run your npm command.
Re-enable strict SSL after fixing the issue:
bash npm config set strict-ssl true

Why It Works: This lowers npm’s security checks, allowing it to ignore certificate errors.
Warning: Like the HTTP workaround, this makes your connection vulnerable to attacks. Use only in development and on trusted networks.
Test: Try npm install.

7. Disable TLS Rejection (Very Risky, Development Only)

As a last-ditch effort, you can disable TLS certificate validation entirely for Node.js.

Steps:

Set the NODE_TLS_REJECT_UNAUTHORIZED environment variable:
- Linux/macOS:
  bash export NODE_TLS_REJECT_UNAUTHORIZED=0
- Windows (CMD):
  bash set NODE_TLS_REJECT_UNAUTHORIZED=0
- Windows (PowerShell):
  bash $env:NODE_TLS_REJECT_UNAUTHORIZED="0"
Run your npm command.
Re-enable validation afterward:
bash export NODE_TLS_REJECT_UNAUTHORIZED=1

Why It Works: This tells Node.js to ignore all TLS errors, not just npm’s.
Warning: This is extremely insecure and should never be used in production or on untrusted networks. It’s like leaving your front door wide open.
Test: Run npm install.

8. Clear npm Cache and Reset Configurations

Sometimes, a corrupted npm cache or misconfigured .npmrc file causes issues.

Steps:

Clear the npm cache:
bash npm cache clean --force
Check your .npmrc file for incorrect settings (located at ~/.npmrc or %USERPROFILE%\.npmrc):
bash npm config list
If you see a cafile or other suspicious settings, remove them:
bash npm config delete cafile npm config delete registry npm config delete strict-ssl
Reset to default settings if needed:
bash npm config set registry https://registry.npmjs.org npm config set strict-ssl true

Why It Works: Clears out bad configurations that might interfere with certificate validation.
Test: Run npm install.

Best Practices to Avoid This Error in 2025

Once you’ve fixed the error, here’s how to keep it from coming back:

Keep Node.js and npm Updated: Regularly check for updates to avoid compatibility issues.
Work with Your IT Team: If you’re in a corporate environment, collaborate with network admins to ensure proper certificate handling.
Use a Version Manager: Tools like nvm let you switch Node.js versions easily, avoiding outdated setups.
Monitor Your .npmrc: Double-check changes to npm’s configuration to avoid accidental security risks.
Avoid Insecure Workarounds: Never leave strict-ssl false or NODE_TLS_REJECT_UNAUTHORIZED=0 enabled long-term.

When to Contact Your Network Admin

If none of these solutions work, the issue is likely tied to your network setup. Reach out to your IT or network admin if:

You suspect a corporate proxy or firewall is interfering.
You need the company’s root CA certificate.
The error persists across different networks or devices.

They can provide the right certificates or adjust proxy settings to unblock npm.

FAQs About npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Why does this error only happen at work?

It’s likely your company’s firewall or proxy is swapping SSL certificates to monitor traffic, which npm doesn’t trust by default.

Is it safe to disable strict SSL or use HTTP?

No, these are insecure and should only be used temporarily in trusted environments. Always revert to HTTPS and strict SSL for security.

Can I fix this without admin access?

Some fixes (like updating npm or clearing cache) don’t require admin rights, but adding CA certificates or updating system CAs might.

Does this error affect Yarn too?

Yes, Yarn uses similar SSL/TLS mechanisms and can hit the same issue. Most fixes here apply to Yarn as well.

Conclusion: Get Back to Coding with Confidence

The npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY error can be a pain, but it’s fixable with the right approach. By updating your tools, adding trusted certificates, or tweaking network settings, you can resolve it safely and securely. In 2025, staying on top of Node.js updates and working closely with your IT team will keep these issues at bay.

Got a stubborn case of this error? Drop a comment or check the resources below for more help. Now, go install those packages and build something awesome!

Resources

Node.js Official Documentation – Stay updated on Node.js best practices.
npm Documentation – Learn more about npm configurations.
Stack Overflow: npm Certificate Issues – Community solutions for tricky cases.

Table of Contents