ng update failes to latest version 9.1.0: unable to get local issuer certificate

[JohnnyDevNull]

🐞 Bug report

Command (mark with an x)

• new
• build
• serve
• test
• e2e
• generate
• add
• [x ] update
• lint
• xi18n
• run
• config
• help
• version
• doc

Is this a regression?

Yes, the previous version in which this bug was not present was: 9.0.7

Description

Error fetching metadata for '@angular/cli': request to https://proget.mydomain.de/npm/FEED/@angular%2fcli failed, reason: unable to get local issuer certificate

🔬 Minimal Reproduction

• Install and configure a local npm repository, e.g. ProGet
• npm set strict-ssl false
• npm set cafile C:\YourCARoot.cer
• npm set registry https://my-registry.internal-proget.de/npm/FEED
• ng update @angular/cli @angular/core

🌍 Your Environment

Attention: This is the projects local version

C:\lvs\git\ng-viewer [master ↑1]> ng --version                                                                                                                                                        Your global Angular CLI version (9.1.0) is greater than your local
version (8.3.25). The local Angular CLI version is used.

To disable this warning use "ng config -g cli.warnings.versionMismatch false".

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 8.3.25
Node: 12.16.1
OS: win32 x64
Angular: 8.2.14
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.803.25
@angular-devkit/build-angular     0.803.25
@angular-devkit/build-optimizer   0.803.25
@angular-devkit/build-webpack     0.803.25
@angular-devkit/core              7.3.9
@angular-devkit/schematics        7.3.9
@angular/cdk                      8.2.3
@angular/cli                      8.3.25
@ngtools/webpack                  8.3.25
@schematics/angular               8.3.25
@schematics/update                0.803.25
rxjs                              6.5.4
typescript                        3.5.3
webpack                           4.39.2

Anything else relevant?

Well i'am very disappointed to have this error over and over again, since Angular 5 on any version this appears again and again. Why this cannot be fixed forever!!!

Possible Fixes

• Researched from @bridzius

A quick fix from the cli perspective would be the downgrade of pacote back to @<10.

• The CLI could convert the strict-ssl setting to strictSSL

[bridzius]

The newest version of @angular/cli has an updated version of pacote@11.1.4, which, in turn has an updated version of npm-registry-fetch - ^4.0.0 to ^8.0.0.

The external API of npm-registry-fetch has changed between @6 and @7.0.0, where instead of strict-ssl (the .npmrc value as defined in npm documentation) it now expects strictSSL.

Since ng update just passes the contents of your .npmrc file into pacote, which strips the strict-ssl param from the config - npm-registry-fetch get this parameter straight from your .npmrc by itself sends it to npm-registry-fetch, but it doesn't understand it - since it is strict-ssl, not strictSSL.
EDIT: (pacote actually passes the param through to npm-registry-fetch).

This is a fix that should happen in npm-registry-fetch ideally (the library should treat strict-ssl and strictSSL similarly)

A very quick fix you can do yourself, is addingstrictSSL=false into your .npmrc file.
A quick fix from the cli perspective would be the downgrade of pacote back to @<10.

EDIT: Quick note:
Previously, if you hadn't set strict-ssl=true explicitly, npm-registry-fetch would treat it as strict-ssl=false. The default was lately changed from false to true, since npm-registry-fetch moved away from the figgy-pudding lib for cascading configs.

[JohnnyDevNull]

@bridzius

A very quick fix you can do yourself, is addingstrictSSL=false into your .npmrc file.

You saved my day! :)

But honestly who the hell have decided to change such a core flag to something else than described in the official npm documentation?

[alan-agius4]

@bridzius, great work getting to the bottom of this. Well done!

[fluggo]

I have a similar situation, but in mine, I have a working NPM config with a cafile and a registry, and strict-ssl is still at its default "true." None of the options converted in the above commits applies to my situation.

ng version shows:

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 9.1.0
Node: 10.16.0
OS: darwin x64

Angular: 9.0.3
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router
Ivy Workspace: Yes

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.900.3
@angular-devkit/build-angular     0.900.3
@angular-devkit/build-optimizer   0.900.3
@angular-devkit/build-webpack     0.900.3
@angular-devkit/core              9.0.3
@angular-devkit/schematics        9.1.0
@angular/cdk                      9.1.0
@angular/cli                      9.1.0
@angular/material                 9.1.0
@ngtools/webpack                  9.0.3
@schematics/angular               9.1.0
@schematics/update                0.901.0
rxjs                              6.5.4
typescript                        3.7.5
webpack                           4.41.2

Error from ng update:

An unhandled exception occurred: request to https://(private)/repository/@angular%2fcli failed, reason: self signed certificate in certificate chain
See "/private/var/folders/f7/6pd2zpgd0w36nyfls6ftl2y9rwtsmb/T/ng-PyTm2I/angular-errors.log" for further details.

npm outdated works fine.

[JohnnyDevNull]

@fluggo

An unhandled exception occurred: request to https://(private)/repository/@angular%2fcli failed, reason: self signed certificate in certificate chain
See "/private/var/folders/f7/6pd2zpgd0w36nyfls6ftl2y9rwtsmb/T/ng-PyTm2I/angular-errors.log" for further details.

npm outdated works fine.

That's why we have set strict-ssl to false, because we have also a valid cafile set. This is a problem with npm not the angular cli.

See: https://stackoverflow.com/questions/13913941/how-to-fix-ssl-certificate-error-when-running-npm-on-windows/30341389

Because our ProGet private NPM/Nuget Repository is behind a firewall it is ok for us to disable strict-ssl here. Would npm access the default schannel certificate store like git does it would work.

We get around this issue because we fetch all packages through our internal repository, that means it is also a NPM proxy.

[fluggo]

@JohnnyDevNull

I likewise have a valid cafile, and I'm using a Nexus NPM proxy, and I leave strict-ssl set to true because I actually want NPM to verify the certificate. Otherwise there wouldn't be much of a point to setting the cafile or using HTTPS in the first place. I don't want to disable the security on the connection—I want to use it.

My point is that I have a valid, secure setup, and I'm not using one of the affected settings, and so I'm not sure the commits here address the full problem. If someone puts out a build for me to test, I'll be happy to try it.

[marissagroves]

Can anyone help me with the 407 error?
I changed the strict-ssl to strictSSL, nothing happened.
D:\projects\CIS_data\Angular\polaris>ng update @angular/core An unhandled exception occurred: 407 authenticationrequired - GET https://registry.npmjs.com/@angular%2fcli

[marissagroves]

`D:\projects\CIS_data\Angular\polaris>ng --version

 _                      _                 ____ _     ___
/ \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|

/ △ \ | '_ \ / | | | | |/ _ | '__| | | | | | |
/ ___ | | | | (| | || | | (| | | | || | | |
// __| ||_, |_,||_,|| _|||
|___/

Angular CLI: 9.1.0
Node: 10.16.0
OS: win32 x64

Angular: 9.1.0
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router
Ivy Workspace: Yes

Package Version

@angular-devkit/architect 0.901.0
@angular-devkit/build-angular 0.901.0
@angular-devkit/build-optimizer 0.901.0
@angular-devkit/build-webpack 0.901.0
@angular-devkit/core 9.1.0
@angular-devkit/schematics 9.1.0
@ngtools/webpack 9.1.0
@schematics/angular 9.1.0
@schematics/update 0.901.0
rxjs 6.5.5
typescript 3.8.3
webpack 4.42.0
`

[fluggo]

Can anyone help me with the 407 error?
I changed the strict-ssl to strictSSL, nothing happened.

@marissagroves Are you behind a proxy? If so, your proxy settings might be affected by this issue as well.

The patch translates these names:

npmrc	pacote
noproxy	noProxy
maxsockets	maxSockets
https-proxy	httpsProxy
strict-ssl	strictSSL
local-address	localAddress

If you have an https-proxy setting, you can try changing it to httpsProxy before the patch lands in a release.

[JohnnyDevNull]

@fluggo until the patch lands you need to have both versions of the flags and also for the default workflow with npm maybe you need for some cases also both flags.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}