Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fresh certificate has incorrect expiration date #304

Open
lukasz-gladek-av opened this issue Apr 24, 2023 · 40 comments
Open

Fresh certificate has incorrect expiration date #304

lukasz-gladek-av opened this issue Apr 24, 2023 · 40 comments

Comments

@lukasz-gladek-av
Copy link

While doing bower install I get following error:

#0 1.681 bower angular-elastic#2.4.2 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-elastic failed: certificate has expired
ERROR: failed to solve: process "/bin/bash -o pipefail -c bower install" did not complete successfully: exit code: 1

bower.io cert looks fine, but going to https://registry.bower.io/packages/angular-elastic it shows that cert is issued today, but it expires yesterday

@lukasz-gladek-av lukasz-gladek-av changed the title Fresh certificate has wrong expiring date Fresh certificate has incorrect expiration date Apr 24, 2023
@mchrapek
Copy link

It's true that the certificate is issued today, but its expiration date is July 23.

image

It seems to me that something wrong with the new certificate because we have the same problem:

bower angular#~1.5.0  CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular failed: certificate has expired

@PankajPatel007
Copy link

I too facing the same issue.

(node:16801) [DEP0022] DeprecationWarning: os.tmpDir() is deprecated. Use os.tmpdir() instead.
Warning: Request to https://registry.bower.io/packages/angular-resource failed: certificate has expired Use --force to continue.`

@pejorativefox
Copy link

Also seeing this in our CI/CD pipelines.

@ajayarjunan
Copy link

Same here, the SSL certificate needs to be properly created and installed for https://registry.bower.io/packages/ to get this resolved:

Screenshot from 2023-04-24 15-32-11

@ajayarjunan
Copy link

ajayarjunan commented Apr 24, 2023

As @mchrapek mentioned here:- bower/bower#2608 (comment), adding "strict-ssl": false to .bowerrc file made it worked

Edit: This is not a recommended approach, but for testing only.

@mchrapek
Copy link

but I don't recommend this solution, disabling SSL can be dangerous, I did this just to check if the problem is with SSL

@galregev
Copy link

Im experiencing this behaviour from my Jenkins CI/CD for Docker image creation.
Is there any temp solution? such as alterative registry? I don't want to disable SSL.

@khoros-chandrakala
Copy link

any idea when this can be sorted out, CI/CD is having the cert issue with installing the bower, looking for some solution without disabling SSL

@ajayarjunan
Copy link

ajayarjunan commented Apr 24, 2023

From what we have noticed, this issue seems to be happening in the servers/machines that was already performing bower commands, which has some SSL certificate caching present during the SSL handshake process. For new machines (where bower command is ran for the first time), the issue seems not present

As a temporary work around, we commented out bower command from the CI/CD process(since we do not have new packages being added at the moment) and retained a copy of the bower_components folder in the server (this is not recommended approach, but had to do this to solve a deployment blocker).

Need to find a permanant fix next day!

@lucasDechenier
Copy link

Hello Guys, any solution for this?

I Had the same on CircleCI:

bower invalid-meta for:/root/project/watson2/bower.json
bower invalid-meta The "name" is recommended to be lowercase, can contain digits, dots, dashes
bower CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-media-queries failed: certificate has expired

Exited with code exit status 1
CircleCI received exit code 1

In my Steps I run:

steps:

  • checkout
  • run: npm install -g bower

@GabeGates
Copy link

Same issues here, setting strict-ssl to false has worked as a temp solution. Hope this is resolved soon.

@hoggworks
Copy link

I'm having the same issue in our Jenkins pipeline.

@SomeBdyElse
Copy link

SomeBdyElse commented Apr 24, 2023

I have the same issue in a CI pipeline. Its an oudated node and bower version

npm install -g [email protected]
bower install MutationObserver-shim
# …
# bower                 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/MutationObserver-shim failed: certificate has expired

curl had the same issue:

curl https://registry.bower.io/packages/MutationObserver-shim
# curl: (60) SSL certificate problem: certificate has expired

I fixed the issue for curl by removing an invalid itermediary cert:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates

curl https://registry.bower.io/packages/MutationObserver-shim
# {"name":"MutationObserver-shim","url":"https://github.com/megawac/MutationObserver.js.git"}

But bower still has the same issue:

bower install MutationObserver-shim
# bower                 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/MutationObserver-shim failed: certificate has expired

Would it be possible that bower somehow uses a differnt ca-cert folder than curl?

@SomeBdyElse
Copy link

SomeBdyElse commented Apr 24, 2023

Would it be possible that bower somehow uses a differnt ca-cert folder than curl?

This seems to be true, but it is fixable:

export NODE_OPTIONS=--use-openssl-ca
bower install MutationObserver-shim

and it went just fine.

So for me the entire fix was:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates
export NODE_OPTIONS=--use-openssl-ca

@tbcshifter
Copy link

Same issue here with Heroku builds today.

@pain44444
Copy link

For us fix was only:

export NODE_OPTIONS=--use-openssl-ca

,cuz we use azure k8s builder

@mvrhov
Copy link

mvrhov commented Apr 25, 2023

node 7.10.1 on Ubuntu 22.04.

None of bellow doesn't work.

Tried with:
export NODE_OPTIONS=--use-openssl-ca
then I added
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Then I tried
NODE_OPTIONS=--use-openssl-ca bower install ...
NODE_OPTIONS=--use-openssl-ca SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt bower install ...

Added "ca": "/etc/ssl/certs/ca-certificates.crt", to bower.json.
Nothing.

@mattsputnikdigital
Copy link

node 7.10.1 on Ubuntu 22.04.

None of bellow doesn't work.

Tried with: export NODE_OPTIONS=--use-openssl-ca then I added export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Then I tried NODE_OPTIONS=--use-openssl-ca bower install ... NODE_OPTIONS=--use-openssl-ca SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt bower install ...

Added "ca": "/etc/ssl/certs/ca-certificates.crt", to bower.json. Nothing.

I think NODE_OPTIONS needs node 8+

@sheerun
Copy link
Contributor

sheerun commented Apr 25, 2023

The certificate is fine, and it seems most of issues are related to using old version of Node, otherwise they can be solved by setting export NODE_OPTIONS=--use-openssl-ca. Bower's certificate renewal works fine.

But true solution is to stop using Bower as it is for a very long time deprecated software. If you want modern alternative with file locking (extremely important for security and long-term maintenance as there is no easy way to pin whole tree of dependencies for Bower, only top level ones), please follow this guide to migrate to Yarn. It's pretty simple as there is helper command:

https://bower.io/blog/2017/how-to-migrate-away-from-bower/

If bower-away doesn't work for you for some reason, please send pull request with fix :)

@mvrhov
Copy link

mvrhov commented Apr 25, 2023

I think NODE_OPTIONS needs node 8+

You are right. I'll se how high I can go from prehistoric 7.2.1. And if there are problems then it seems that recompiling node itself is going to be the only option.

Migrating away and/or upgrading this is not an option for at least another 12 months.

@sheerun
Copy link
Contributor

sheerun commented Apr 25, 2023

Other solutions you might try for now are:

  • Put all dependencies in separate git repository somehow and clone them instead of running bower install
  • You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

@amit-oli-khoros
Copy link

Other solutions you might try for now are:

  • Put all dependencies in separate git repository somehow and clone them instead of running bower install
  • You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

We cannot use any of the workarounds suggested here so far. May I know how long will it take for the "another solution" that you are working on to be out?

@saintmac
Copy link

So for me the entire fix was:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates
export NODE_OPTIONS=--use-openssl-ca

That fixed it for me, thanks ! (Docker node)

@mvrhov
Copy link

mvrhov commented Apr 25, 2023

For now it seems that I could upgrade up to node 9.11.2. And with that NODE_OPTIONS work. Things build, QA is in progress. The rest will have to wait

@dodomood
Copy link

Same issue, running from GitHub actions on windows-latest, with node 8.12 (yeah, i know).

Halp pls

@mchrapek
Copy link

bower install works for newer versions of node.

Only bower install command I execute on the newer node (for example 12), and the rest of the commands for building the project I execute on the version I need.

It worked for us.

@amanneesharma
Copy link

Having the same issue.
Tried some step as below:

  1. Added "strict-ssl": false to bowerrc file.
  2. Ran bower install.
  3. Delete downloaded bower components.
  4. Removed "strict-ssl": false from bowerrc file.
  5. Ran bower install again.

Worked for me!!!

@amit-oli-khoros
Copy link

Other solutions you might try for now are:

  • Put all dependencies in separate git repository somehow and clone them instead of running bower install
  • You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

Hi @sheerun , Is there any update on the fix that you were working on?

@ujjwaldave
Copy link

Other solutions you might try for now are:

  • Put all dependencies in separate git repository somehow and clone them instead of running bower install
  • You can also try to disable ssl (not recommended) in .bowerrc: with { "strict-ssl": false }

In the meantime I'll work on another solution that should fix this issue by embedding registry within Bower itself.

Hi @sheerun , Is there any update on the fix that you were working on?

+1, is there any ETA on this fix.

@stormonster
Copy link

As I mentioned here, a temporary solution that solved the issue for us was to use the heroku-mirror rather than the regular registry.

Rather than turning off SSL we've set the registry parameter in the .bowerrc like this.

{
  "directory": "bower_components",
  "registry": "https://bower.herokuapp.com",
}

Not sure how permanent of a solution it is as I've seen it mentioned that certs for node versions <10 are discontinued now, but at least it worked for us and it sure beats turning off SSL.

@tfabris
Copy link

tfabris commented Apr 27, 2023

I'm trying to keep a legacy app building, one that uses old versions of node and bower. I can't at the moment upgrade either of them. These build on Windows build agent computers. Most of the solutions listed here are for linux build systems, so I can't do any of those.

We have a couple dozen ".bowerrc" files in the build, and adding some lines to those files is possible. I've seen two possible temporary solutions listed in this thread. Thanks very much to the folks who suggested them. The two choices open to me seem to be to either add this line:

"strict-ssl": false 

Or to add this line:

"registry": "https://bower.herokuapp.com"

Both seem risky. Can someone please help me understand which one is riskier? Keep in mind that I'm completely inexperienced in Bower, NPM, Ember, and the other technologies that this app is built with (I'm a C# guy normally). The first option, as I understand it, would make it possible for us to retrieve some of our modules from sites with expired SSL certificates, but at least we'd be getting those files from the same places as we did before. I've tried that one and it works as a temporary fix. The second, seems like we'd be changing the place where we get the files from, which to me sounds much riskier.

Does anyone have an opinion on this?

Thanks!

@mattsputnikdigital
Copy link

@tfabris how old is the Ember app? It shouldn't take too much work to remove Bower and get ember-auto-import working which was designed to replace it in v3 of Ember.

Other options include using Docker to build the app for deploy and setting the version of node to something like "FROM node:14-alpine as ember"

Using "strict-ssl": false is a working option, disables certs obviously but its probably the quickest option in the short term.

@tfabris
Copy link

tfabris commented Apr 27, 2023

@mattsputnikdigital thanks for that information. The ember app is years old and the people who knew how to maintain its build system are no longer with the company. Replacing the build system with a new one certainly "sounds" simple but keep in mind that I have no idea how it works, like, at all.

I'm also thinking that "strict-ssl": false seems like the better option, because I looked at the herokuapp.com cert and it expires next year anyway thus it would just kick the can down the road a bit.

@mattsputnikdigital
Copy link

@mattsputnikdigital thanks for that information. The ember app is years old and the people who knew how to maintain its build system are no longer with the company. Replacing the build system with a new one certainly "sounds" simple but keep in mind that I have no idea how it works, like, at all.

I'm also thinking that "strict-ssl": false seems like the better option, because I looked at the herokuapp.com cert and it expires next year anyway thus it would just kick the can down the road a bit.

Yes if you can accept the risk of the "strict-ssl": false then it would be fine. If you need help with Ember my company manages lots of older Ember sites and could probably get it working without Bower for you if you need assistance.

@tfabris
Copy link

tfabris commented Apr 27, 2023

@mattsputnikdigital Thanks so much for your help and advice. That's a kind offer to help us out. If we decide to go that route I'll ping you.

@azajkhan
Copy link

Still facing issues
14:14:32 bower oauth-js#0.4.8
CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/oauth-js failed: certificate has expired

@azajkhan
Copy link

14:22:14 bower angular-recaptcha#4.2.0 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-recaptcha failed: certificate has expired

@mattsputnikdigital
Copy link

14:22:14 bower angular-recaptcha#4.2.0 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-recaptcha failed: certificate has expired

You need to either update node to a version which works, I believe over 10 or set "strict-ssl": false I do not think this is going to be fixed otherwise.

@GabeGates
Copy link

Same issues here, setting strict-ssl to false has worked as a temp solution. Hope this is resolved soon.

Our company was able to get passed this by upgrading to node 18

@hma1983
Copy link

hma1983 commented May 10, 2023

Ran into the same problem, we are using node 8, can't upgrade to new version either at least for another year.

I used this silly workaround, switch to node 12 for bower install, then change back to node 8 for gulp build:

RUN npm install
RUN npm install n -g
RUN n 12.22.9
RUN bower --allow-root install
RUN n 8.15.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests