localhost server not coming up while doing aem up - unable to get local issuer certificate

[VenkatKrishnaSN]

Description
While trying to bring up the aem server on localhost:3000 it gives unable to get local issuer certificate error.

To Reproduce
Steps to reproduce the behavior:

1. Go to the helix project directory
2. Run npm install -g @adobe/aem-cli with sudo access and this works
3. Run aem up
4. Then it throws an error - unable to get local issuer certificate

Expected behavior
Would have expected aem server to be up on localhost:3000 as mentioned.

Screenshots

Version:
run: $ hlx --version

Additional context
Setting up the local AEM franklin

[tripodsan]

can you try with node 18.x ?

[VenkatKrishnaSN]

Hi @tripodsan - I have tried with node 18.18.2 version and the issue remains the same.

[andreituicu]

just to mention a couple of other things that we tried with @VenkatKrishnaSN before suggesting to open an issue.

We tried disabling the verification just to see if the simulator comes up:

npm config set strict-ssl false
export NODE_TLS_REJECT_UNAUTHORIZED=0

but this didn't work either.

[VenkatKrishnaSN]

Also tried with 16 but even that gave the same error.

[andreituicu]

neither:

aem up --log-level debug
aem up --log-level silly

give any extra information.

[VenkatKrishnaSN]

[tripodsan]

• can you start with NODE_DEBUG='tls,https' aem up ?
• or would it be possible for you to debug and see where it fails?
• is there anything special about your project? that is it's github url?
• I assume you can connect to github

[VenkatKrishnaSN]

@tripodsan - Below is the output for the command.

• Not sure what further steps can be followed for further debugging.
• Nothing special on our project. Looks fairly straight forward. But not sure if something blocking from our end.
• Yes we are able to connect to Github

venkatkrishna.tammin@MREM2EF37E84 servicenow % NODE_DEBUG='tls,https' aem up
    ___    ________  ___                          __      __ v16.0.5
   /   |  / ____/  |/  /  _____(_)___ ___  __  __/ /___ _/ /_____  _____
  / /| | / __/ / /|_/ /  / ___/ / __ `__ \/ / / / / __ `/ __/ __ \/ ___/
 / ___ |/ /___/ /  / /  (__  ) / / / / / / /_/ / / /_/ / /_/ /_/ / /
/_/  |_/_____/_/  /_/  /____/_/_/ /_/ /_/\__,_/_/\__,_/\__/\____/_/

HTTPS 84281: createConnection [Object: null prototype] {
  protocol: 'https:',
  hostname: 'main--servicenow--hlxsites.hlx.page',
  hash: '',
  search: '',
  pathname: '/fstab.yaml',
  path: null,
  href: 'https://main--servicenow--hlxsites.hlx.page/fstab.yaml',
  method: 'GET',
  compress: true,
  decode: true,
  headers: {
    host: 'main--servicenow--hlxsites.hlx.page',
    'user-agent': 'adobe-fetch/4.1.1',
    accept: '*/*',
    'accept-encoding': 'gzip,deflate,br'
  },
  body: null,
  follow: 20,
  redirect: 'follow',
  signal: null,
  agent: Agent {
    _events: [Object: null prototype] {
      free: [Function (anonymous)],
      newListener: [Function: maybeEnableKeylog]
    },
    _eventsCount: 2,
    _maxListeners: undefined,
    defaultPort: 443,
    protocol: 'https:',
    options: [Object: null prototype] {
      keepAlive: true,
      rejectUnauthorized: true,
      noDelay: true,
      path: null
    },
    requests: [Object: null prototype] {},
    sockets: [Object: null prototype] {
      'main--servicenow--hlxsites.hlx.page:443::::::::true:::::::::::::': []
    },
    freeSockets: [Object: null prototype] {},
    keepAliveMsecs: 1000,
    keepAlive: true,
    maxSockets: Infinity,
    maxFreeSockets: 256,
    scheduling: 'lifo',
    maxTotalSockets: Infinity,
    totalSocketCount: 0,
    maxCachedSessions: 100,
    _sessionCache: { map: {}, list: [] },
    [Symbol(kCapture)]: false
  },
  _defaultAgent: Agent {
    _events: [Object: null prototype] {
      free: [Function (anonymous)],
      newListener: [Function: maybeEnableKeylog]
    },
    _eventsCount: 2,
    _maxListeners: undefined,
    defaultPort: 443,
    protocol: 'https:',
    options: [Object: null prototype] { noDelay: true, path: null },
    requests: [Object: null prototype] {},
    sockets: [Object: null prototype] {},
    freeSockets: [Object: null prototype] {},
    keepAliveMsecs: 1000,
    keepAlive: false,
    maxSockets: Infinity,
    maxFreeSockets: 256,
    scheduling: 'lifo',
    maxTotalSockets: Infinity,
    totalSocketCount: 0,
    maxCachedSessions: 100,
    _sessionCache: { map: {}, list: [] },
    [Symbol(kCapture)]: false
  },
  port: 443,
  host: 'main--servicenow--hlxsites.hlx.page',
  keepAlive: true,
  rejectUnauthorized: true,
  noDelay: true,
  servername: 'main--servicenow--hlxsites.hlx.page',
  _agentKey: 'main--servicenow--hlxsites.hlx.page:443::::::::true:::::::::::::',
  encoding: null,
  keepAliveInitialDelay: 1000,
  [Symbol(context)]: URLContext {
    href: 'https://main--servicenow--hlxsites.hlx.page/fstab.yaml',
    protocol_end: 6,
    username_end: 8,
    host_start: 8,
    host_end: 43,
    pathname_start: 43,
    search_start: 4294967295,
    hash_start: 4294967295,
    port: 4294967295,
    scheme_type: 2
  }
}
TLS 84281: client _init handle? true
TLS 84281: client initRead handle? true buffered? false
TLS 84281: client _start handle? true connecting? false requestOCSP? false
TLS 84281: client onhandshakedone
TLS 84281: client _finishInit handle? true alpn false servername main--servicenow--hlxsites.hlx.page
unable to get local issuer certificate

[tripodsan]

another idea is to the openssl-ca, assuming that one works

node --use-openssl-ca /path/to/aem-cli/index.js up 

you can verify the openssl ca with:

openssl s_client  main--servicenow--hlxsites.hlx.page:443

[som-adobe-demo]

Any solution found for this problem please ? I am finding the same problem with Node v22.

[tripodsan]

did you try:

openssl s_client  main--servicenow--hlxsites.hlx.page:443

[som-adobe-demo]

did you try:

openssl s_client  main--servicenow--hlxsites.hlx.page:443

Yes, its giving -
SSL handshake has read 4514 bytes and written 803 bytes
Verification error: unable to get local issuer certificate

Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)

[tripodsan]

so this is the same problem....

[som-adobe-demo]

Ok this approach has worked for me on my local Windows 11 -
I accessed this URL on my Chrome browser - https://admin.hlx.page/sidekick/owner-name/repo-name/github-branch-name/config.json
I extracted the Base64 encoded Certificate Chain (second option on Save As dialog while Exporting certificate) as *.pem from the browser.
I put it in a directory called certs under the cloned boilerplate repository folder.
Then from the cloned repo folder I executed - set NODE_EXTRA_CA_CERTS=./certs/hlx.page.pem
Then executed - aem up