Does not respect NODE_TLS_REJECT_UNAUTHORIZED

[julien-f]

• Node Version: Node 16.14.2 and npm 8.4.0
• Platform: Linux xoa 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64 GNU/Linux
• Compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
• Module: cpu-features

Verbose output (from npm or node-gyp):

$ NODE_TLS_REJECT_UNAUTHORIZED=0 ./node_modules/.bin/node-gyp configure
gyp info it worked if it ends with ok
gyp info using node-gyp@9.0.0
gyp info using node@16.14.2 | linux | x64
gyp info find Python using Python version 3.9.2 found at "/usr/bin/python3"
gyp http GET https://nodejs.org/download/release/v16.14.2/node-v16.14.2-headers.tar.gz
(node:751064) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
gyp WARN install got an error, rolling back install
gyp ERR! configure error 
gyp ERR! stack FetchError: request to https://nodejs.org/download/release/v16.14.2/node-v16.14.2-headers.tar.gz failed, reason: unable to get local issuer certificate
gyp ERR! stack     at ClientRequest.<anonymous> (/root/node-gyp/node_modules/minipass-fetch/lib/index.js:130:14)
gyp ERR! stack     at ClientRequest.emit (node:events:526:28)
gyp ERR! stack     at TLSSocket.socketErrorListener (node:_http_client:442:9)
gyp ERR! stack     at TLSSocket.emit (node:events:538:35)
gyp ERR! stack     at emitErrorNT (node:internal/streams/destroy:157:8)
gyp ERR! stack     at emitErrorCloseNT (node:internal/streams/destroy:122:3)
gyp ERR! stack     at processTicksAndRejections (node:internal/process/task_queues:83:21)
gyp ERR! System Linux 5.10.0-13-amd64
gyp ERR! command "/usr/local/bin/node" "/root/node-gyp/node_modules/.bin/node-gyp" "configure"
gyp ERR! cwd /root/node-gyp
gyp ERR! node -v v16.14.2
gyp ERR! node-gyp -v v9.0.0
gyp ERR! not ok 

From what I could gather:

• calls make-fetch-happens without using strictSSL (source)
• strictSSL defaults to false if not specified (source)
• minipass-fetch's NODE_TLS_REJECT_UNAUTHORIZED handling is not triggered (source)

[tonjohn]

I hit this in Node 16.14.0 and 16.16.0. However, 16.13 appears to work as expected.

[xantari]

Appear to also be running into this. Seems to occur in corporate environments where they do deep packet inspection where they strip away the SSL to inspect the traffic and re-assemble it.

Will try back down to a previous version of node as the comment above suggestions.

C:\TFS\Test\node_modules\node-sass>node scripts/build.js
Building: C:\Program Files\nodejs\node.exe C:\TFS\Test\node_modules\node-sass\node_modules\node-gyp\bin\node-gyp.js rebuild --verbose --libsass_ext= --libsass_cflags= --libsass_ldflags= --libsass_library=
gyp info it worked if it ends with ok
gyp verb cli [
gyp verb cli   'C:\\Program Files\\nodejs\\node.exe',
gyp verb cli   'C:\\TFS\\Test\\node_modules\\node-sass\\node_modules\\node-gyp\\bin\\node-gyp.js',
gyp verb cli   'rebuild',
gyp verb cli   '--verbose',
gyp verb cli   '--libsass_ext=',
gyp verb cli   '--libsass_cflags=',
gyp verb cli   '--libsass_ldflags=',
gyp verb cli   '--libsass_library='
gyp verb cli ]
gyp info using node-gyp@7.1.2
gyp info using node@16.17.1 | win32 | x64
gyp verb command rebuild []
gyp verb command clean []
gyp verb clean removing "build" directory
gyp verb command configure []
gyp verb find Python Python is not set from command line or npm configuration
gyp verb find Python Python is not set from environment variable PYTHON
gyp verb find Python checking if "python3" can be used
gyp verb find Python - executing "python3" to get executable path
gyp verb find Python - "python3" is not in PATH or produced an error
gyp verb find Python checking if "python" can be used
gyp verb find Python - executing "python" to get executable path
gyp verb find Python - executable path is "C:\Program Files\Python39\python.exe"
gyp verb find Python - executing "C:\Program Files\Python39\python.exe" to get version
gyp verb find Python - version is "3.9.11"
gyp info find Python using Python version 3.9.11 found at "C:\Program Files\Python39\python.exe"
gyp verb get node dir no --target version specified, falling back to host node version: 16.17.1
gyp verb command install [ '16.17.1' ]
gyp verb install input version string "16.17.1"
gyp verb install installing version: 16.17.1
gyp verb install --ensure was passed, so won't reinstall if already installed
gyp verb install version not already installed, continuing with install 16.17.1
gyp verb ensuring nodedir is created C:\Users\matto\AppData\Local\node-gyp\Cache\16.17.1
gyp verb created nodedir C:\Users\test\AppData\Local\node-gyp\Cache\16.17.1
gyp http GET https://nodejs.org/download/release/v16.17.1/node-v16.17.1-headers.tar.gz
gyp WARN install got an error, rolling back install
gyp verb command remove [ '16.17.1' ]
gyp verb remove using node-gyp dir: C:\Users\test\AppData\Local\node-gyp\Cache
gyp verb remove removing target version: 16.17.1
gyp verb remove removing development files for version: 16.17.1
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at TLSSocket.onConnectSecure (node:_tls_wrap:1535:34)
gyp ERR! stack     at TLSSocket.emit (node:events:513:28)
gyp ERR! stack     at TLSSocket._finishInit (node:_tls_wrap:949:8)
gyp ERR! stack     at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:730:12)
gyp ERR! System Windows_NT 10.0.19044
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\TFS\\Test\\node_modules\\node-sass\\node_modules\\node-gyp\\bin\\node-gyp.js" "rebuild" "--verbose" "--libsass_ext=" "--libsass_cflags=" "--libsass_ldflags=" "--libsass_library="
gyp ERR! cwd C:\TFS\Test\node_modules\node-sass
gyp ERR! node -v v16.17.1
gyp ERR! node-gyp -v v7.1.2
gyp ERR! not ok
Build failed with error code: 1

[uberDoward]

Confirming this is an issue with Node 16.17.1, here, as well.

[korodarn]

Having this issue as well. Is there some kind of workaround to manually build it or a way to install it without building it?

[arontsang]

Confirming this issue is still around in node v19.6.1

Seriously!?

[cclauss]

#695 (comment)

[jbgomond]

node-gyp switched to make-fetch-happen, which does not support this this environment variable ...

[cclauss]

https://github.com/nodejs/node-gyp/pulls?q=is%3Apr+is%3Aopen+fetch

[jasondalycanpk]

Same issue. Setting NODE_EXTRA_CA_CERTS as per https://stackoverflow.com/questions/34608969/stack-error-self-signed-certificate-in-certificate-chain-when-trying-to-build resolved the issue for me on Node.js 20.x .

[brunoargolo]

As per @jbgomond this is caused by make-fetch-happen.
I opened a PR to address it npm/make-fetch-happen#316
mean as a workaround you can edit your local copy:
In my case I use pnpm and its located at: ~\AppData\Roaming\npm\node_modules\pnpm\dist\node_modules\make-fetch-happen\lib\options.js

replace
options.rejectUnauthorized = strictSSL !== false
with
options.rejectUnauthorized = false

[lukekarrys]

make-fetch-happen@14.0.3 now respects NODE_TLS_REJECT_UNAUTHORIZED npm/make-fetch-happen#316. But node-gyp will need to release a new major so that it can update from make-fetch-happen@13 to 14 since there is an engines mismatch.