SELF_SIGNED_CERT_IN_CHAIN
A self-signed certificate appears in the presented chain and the client doesn’t trust it. With npm, Node.js, or git this is almost always a corporate TLS-intercepting proxy or a private/internal CA — not a problem with the package registry itself.
Common causes
- A corporate TLS-intercepting proxy (Zscaler, Netskope, and similar) is re-signing traffic with its own self-signed root.
- The endpoint uses a private/internal CA that isn’t in the client’s trust store.
- A genuinely self-signed certificate is being used in production.
How to fix it
- 1
Identify the chain and the self-signed certificate at the top of it:
openssl s_client -connect registry.npmjs.org:443 -servername registry.npmjs.org -showcerts </dev/null - 2
If it’s a legitimate proxy or private CA, add that root to the trust store instead of disabling verification. For npm and Node.js, point them at the CA bundle:
npm config set cafile /path/to/corporate-ca.crt export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.crt - 3
Avoid the insecure shortcuts (
npm config set strict-ssl false,git -c http.sslVerify=false,NODE_TLS_REJECT_UNAUTHORIZED=0) — they disable the check that protects you from interception. - 4
If it’s a self-signed certificate in production, replace it with one from a trusted CA.
Catch these before your users do
SSLNudge detects SELF_SIGNED_CERT_IN_CHAIN and expiry issues daily and alerts you.