Error with `npm install:` CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Hey, Expo team!

Today Android builds of our app start fail because npm can not load our npm module via https://... link: it doesn’t trust Let’s Encrypt certificate of our git server. Here is the error:

[stderr] npm ERR! fatal: unable to access 'https://{HERE-GOES-URL}': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

There is no problem with iOS builds so I expect it may relate to IdentTrust DST Root CA X3 certificate expiration on 30 September, check Let’s Encrypt’s root certificate has expired, and it might break your devices – TechCrunch for example. I expect that an old OpenSSL version is being used on machine images for Android builds. If that’s the reason is there any chance this issue could be fixed on Expo’s side?

Hi @veengu

Is this with expo build:android or eas build --platform=android?
Sorry, I should have taken note of which category you posted this in and the fact that it’s running npm on the build server :sweat_smile:

I agree this is most likely to do with the DST Root CA X3 expiring yesterday.

@veengu do you mind mentioning what dependencies you’re using? I tried building a new blank app using yarn and later npm for the dependencies but there were no SSL issues. I’m not sure if some stuff is cached, but I did also try with the --clear-cache option.

As far as I know, the build servers are based on the following docker container:

Using image "ubuntu-18.04-android-30-ndk-r19c" based on "ubuntu:bionic-20201119"

If I run a new ubuntu:bionic-20201119 container, run apt update && apt -y install openssl ca-certificates then the ISRG Root X1 is up to date:

root@bffadc39877b:/# openssl x509 -noout -issuer -subject -enddate </etc/ssl/certs/ISRG_Root_X1.pem 
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
notAfter=Jun  4 11:04:38 2035 GMT

But maybe the ubuntu-18.04-android-30-ndk-r19c image (which I don’t have access to) was built with an older version of the ca-certificates package. :thinking:

I’m getting the same output on the actual worker image (you can verify that by running npm pre install hook on eas)

openssl x509 -noout -issuer -subject -enddate </etc/ssl/certs/ISRG_Root_X1.pem
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
notAfter=Jun  4 11:04:38 2035 GMT

is the URL to the registry you redacted hosted by you? Maybe it’s the problem with certs for the server?

1 Like